As we look back at the year 2016 from a cybersecurity viewpoint, we find two definite trends:
- The proliferation of ransomware mushroomed to the extent it became a $1 billion industry
- The specific targeting of healthcare organizations by hackers to obtain patient health information for profiteering
Ransomware Attacks on Healthcare Organizations
A definitive example of both trends occurred in February 2016, in the highly publicized ransomware attack on the Hollywood Presbyterian Medical Center in Southern California. The attack was launched in the usual classic style, the clicking of a link in an embedded email by a hospital employee. That simple action allowed the malicious software to infiltrate the network and commence its encryption process throughout numerous data silos. A short time later, the IT staff was forced to shut down the network and hospital staff members were limited to the use of pen and paper for basic medical record keeping. Hundreds of patients were diverted to other nearby hospitals and most medical procedures were canceled. Some medical service departments within the hospital were shut down completely. After making their point, and after much negotiation, hospital administrators relented and paid a ransom of $17 thousand.
Although this incident stole many headlines, it is but one single occurrence in a growing trend. Throughout that month, hospitals from Henderson, Kentucky to Neuss, Germany were hit with similar attacks. This pattern of attacks continued throughout the rest of the year. During the last quarter of 2016, the Keck Medical Center of USC reported ransomware attacks at two of their hospitals as well as six separate sites of the New Jersey Spine Center.
It is estimated that 88 percent of ransomware attacks during the second quarter of 2016 were directed at health care organizations. The threat is so concerning that Jocelyn Samuels, Director of the HHS Office for Civil Rights, said:
“One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyberattacks on electronic health information systems, such as through ransomware.”
Fortunately, the resulting damage in the majority of these ransomware attacks is limited to only temporary downtime and a tarnished public image. Regrettably, there are greater concerns the health industry must worry about.
The DarkOverLord Hacker
Over the summer of 2016, the personal health information of more than 655,000 people was compromised in a trio of attacks by a hacker that operates under the name, “The DarkOverLord,” a former ransomware expert who has now chosen to pursue the high-stakes game of stealing protected health information records or PHI. The hacker accessed all three companies through a SaaS vendor that they subscribed to. The largest of the three attacks was levied against a large medical clinic in Atlanta, GA that resulted in the confiscation of 397,000 patient records, including primary and secondary health insurance and policy numbers. A second breach resulted in the acquisition of 210,000 records that included Social Security numbers. These breaches were discovered when The DarkOverLord contacted all three organizations to alert them of the breaches, sending screenshots showing data samples posted on a site called RealDealMarket. This unscrupulous site resides on the dark web and is a common portal used by cybercriminals to sell, purchase and exchange everything including stolen credit cards, patient health records and even drugs. The DarkOverLord threatened all three organizations with the intention of selling the stolen data to the highest bidder unless they each paid $1 per stolen record as a fee. There has been no formal update at this time as to whether the companies paid the extortion fees.
Attacks on Healthcare Companies are Growing
These attacks are but a small representation of the many breaches that have occurred over the past couple of years within the healthcare industry. In fact, 80 percent of industry executives surveyed by KPMG said their information technology had been compromised in 2015. As an example of the increasing number of targeted attacks, leading security research organization Ponemon Institute estimates that criminal attacks on healthcare information systems rose by 125 percent between 2010 and 2015. In fact, five of the eight largest healthcare breaches since 2010 took place in 2015 alone, involving over 100 million patient health records. On an industry-wide basis, the cost of these attacks is as high as $6.2 billion a year.
A study conducted by the IBM X-Force exemplifies this disturbing trend within their findings by the following comparison:
The top five industries in 2015 for cyberattacks:
- Financial services
The top five industries in 2014 for cyberattacks:
- Financial services
And if all of this weren’t enough, a study conducted by the Association of Corporate Counsel shows that 97 percent of corporate health care attorneys believe their organizations are at greater risk for cyberattack than other industries. Some of the other findings from the survey include:
- 70 percent of those surveyed are working to develop data security expertise to fulfill that need.
- 84 percent say they have been called upon to evaluate whether a security incident implicates reporting obligations. Most of them have then been asked to develop relevant internal policies and procedures.
- One-third said their organizations' plans were out of date for dealing with the latest types of cyberthreats or organizational changes.
- 40 percent reported that their organizations or clients have plans that are too generic and lack specific guidance and testing.
The Reasons Why the Healthcare Industry is Being Targeted
It should be no surprise that hackers have come to realize the lucrative potential of the healthcare industry. Personal information has a high dollar value on the black market. In another report by the InfoSec Institute, Medicare ID numbers fetched a far higher price on the black market and dark web than did Social Security numbers in 2015. A huge detriment of electronic health records is that, unlike credit cards, medical data cannot simply be canceled and reissued. This may explain why patient health records garner up to ten times more than credit card numbers.
What’s more, hospitals and procedure clinics demand data availability and network uptime of 100 percent. Unfortunately, many healthcare organizations lack experienced cybersecurity specialists on staff. Even more challenging is that the typical healthcare office utilizes so many types of unmanaged computing devices.
Although industry executives, legal counselors, even the U.S. Congress, and other governments are now recognizing the seriousness of the problem, there is much work needed in order to combat the exponential number of these attacks. Hopefully, 2017 proves to be a better year for IT security.