Tally Shows Healthcare Hacker Attacks Keep ComingMore Incidents Added to HHS 'Wall of Shame'
In recent weeks, many more hacker attacks - including some ransomware assaults - on healthcare entities large and small have been added to the federal tally of major breaches, continuing a trend that started in 2015.
A Nov. 7 snapshot of the Department of Health and Human Services' Office for Civil Rights' "wall of shame" website of breaches impacting 500 or more individuals shows a continuing uptick in reported hacker incidents compared to last year.
For instance, so far the wall of shame shows 23 hacker/IT incidents added to the HHS tally in September and October 2016, compared with eight reported during the same months a year ago. From Jan. 1 to Nov. 7, 2015, there were 51 hacker/IT incidents posted on the wall of shame, compared with 87 such breaches posted in the same period this year.
The surge in hacker attacks gained attention back in early 2015 with major breaches of several large U.S. health plans. The largest of those attacks - and still a record to date - was the hacker assault on Anthem Inc. revealed in February 2015, which impacted nearly 80 million individuals.
This year, hacker incidents - including ransomware attacks - continue to plague healthcare sector entities of all shapes and sizes. The largest such incident reported so far in 2016 is a hacker breach affecting 3.62 million individuals reported in August by Arizona-based Banner Health.
"Healthcare organizations have been targeted by hackers for two main reasons," says Dan Berger, CEO of security consultancy Redspin. "First, patient health records are valuable. In the wrong hands, they can be used for nefarious purposes such as identity theft, insurance or prescription fraud, even blackmail. Second, healthcare has been shown to be a soft target - the percent of IT budgets spent on security still lags behind most other industries."
Recent Hacker Breach Reports
Among the largest hacker incidents added to the wall of shame in recent weeks:
- Mississippi-based Urgent Care Clinic of Oxford reported on Sept. 30 a hacker/IT incident affecting about 64,000 individuals. The walk-in clinic, in its notification letter to patients, said the incident involved ransomware impacting a server, and the investigation so far revealed "it is very likely that the attack was carried out by criminal Russian hackers." Affected data included patients' names, Social Security numbers, dates of birth and other personal information, as well as any health information on file, the letter says. The clinic, which did not reveal in its notification whether it paid a ransom to regain control of its server, did not immediately respond to an Information Security Media Group request for comment.
- Texas-based Integrity Transitional Hospital reported to HHS on Oct. 14 a hacker incident affecting nearly 30,000 individuals. In its notification letter to patients, the facility said that on Aug. 15, it learned that suspicious activity on its network may have affected the systems related to its laboratory services. Its forensics investigation determined that an unauthorized individual potentially could have accessed information maintained on the laboratory systems, which may have included lab results, lab testing information, health insurance information and scanned driver's licenses, the letter notes.
- Massachusetts-based Baystate Health Inc. reported on Oct. 21 a hacking incident affecting more than 13,000 individuals. In its notification letter, Baystate - which includes several hospitals in western Massachusetts - said that it learned on Aug. 22 that a phishing email had been sent to several Baystate employees. Its investigation determined that five workers responded to the email, allowing hackers to access some employees' email accounts. "We immediately took steps to secure the email accounts and began an investigation. We have reported the incident to law enforcement." The information in the employee emails may have included patients' names and dates of birth, diagnosis, treatment received, medical record number and, in some instances, health insurance identification number. No patient medical records were accessed.
Those three recent breaches are among 87 "hacking/IT incidents" affecting a total of 11.4 million individuals reported to HHS so far this year, according to the wall of shame website. A total of some 257 breaches affecting a total of 14.4 million individuals have been added to the tally so far this year.
Since HHS began keeping a tally in September 2009, 1,727 breaches impacting a total of 168.9 million individuals have been posted on the wall of shame. Of those breaches, 242 hacking incidents have affected a total of 126.5 million individuals.
Some experts predict the surge in hacker attacks targeting the healthcare sector will continue - and perhaps worsen. "I believe this trend will intensify into next year as the cybercriminal world evolves its ability to monetize the information stolen from the healthcare sector," says Mac McMillan, CEO of security consulting firm CynergisTek. "The why is simple - it's where the money is."
Smaller organizations are often impacted by "less sophisticated attacks" because they often have fewer resources to defend against these assaults, he notes. "But for the high-end or more sophisticated attacks, the larger aggregators of data [or larger organizations] are going to be a more lucrative target."
As for Urgent Care Clinic of Oxford stating in its notification letter that it believes it was a victim of Russian hackers, McMillan says, "There is no doubt that crime organizations from multiple foreign states are targeting the healthcare sector, and there has certainly been evidence of some 'nation-state' actors, but they are in a different category than simple or even organized criminal hackers. The former is attacking for the same reason as other cybercriminals - to monetize their activities; the latter may have much deeper purposes for their hacks - everything from stealing intellectual property to gathering information on U.S. persons, to socioeconomic intelligence gathering."
Berger says he differentiates between nation-state attacks and coordinated criminal attacks that originate in other countries. "The motivations are different - something of the scale of the Anthem and U.S. Office of Personnel Management breaches were likely coordinated and carried out for potential use in espionage campaigns," he says. "Nation-states have also been known to steal intellectual property. Criminal hackers typically want to make fast money and will sell the data on the dark web as soon as they can."
Patient Safety Concerns
McMillan also notes that the reported hacker attack on laboratory systems of Integrity Transitional Hospital is troubling. "This attack exemplifies why cybersecurity is a patient safety issue," he says. "This attack may have only involved theft of information, but it could have involved disabling the system, tampering with the system itself, or corrupting the data which could lead to incorrect lab results and faulty diagnosis or treatment."
To guard against becoming victims of these and other kinds of cyberattacks, healthcare sector organizations "need to step up their maintenance activities, invest in advanced threat detection capabilities, remain vigilant with user awareness and keep response and recovery plans current," he urges.
Berger also advises healthcare organizations to conduct "full scope" security risk assessments, including penetration testing and social engineering, and to diligently correct or mitigate any weaknesses found.