Attacks/Breaches
12/22/2016
02:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Major Cyberattacks On Healthcare Grew 63% In 2016

US hospitals lack new technologies and best practices to defend against threats, new report says.

Some 93 major cyberattacks hit healthcare organizations this year, up from 57 in 2015, new research shows.

TrapX Labs, a division of TrapX Security, found this 63% increase in attacks on the healthcare industry for the period between January 1, 2016 and December 12. Some may have been ongoing prior to Jan. 1, but for consistency, researchers only used official reporting dates to the Department of Health and Human Services, Office of Civil Rights (HHS OCR).

Among the largest attacks were those on Banner Health (3.6M records), Newkirk Products (3.4M records), 21st Century Oncology (2.2M records), and Valley Anesthesiology Consultants (0.88M records).

Sophisticated attackers are now responsible for 31% of all major HIPAA data breaches reported this year, a 300% increase over the past three years, according to the report. Cybercriminals were responsible for 10% of all major data breaches in 2014 and 21% in 2015.

Despite the rise in attacks, the number of records breached dropped to about 12,057,759. That said, so many millions of health records have been stolen that the value of individual records decreased this year, TrapX reported.

Researchers pinpointed two major trends from 2016: the continued discovery and evolution of medical device hijacking, which TrapX calls MEDJACK and MEDJACK.2, and the increase of ransomware across a variety of targets.

MEDJACK involves the use of backdoors in medical devices like diagnostic or life-support equipment. Hackers use emailed links, malware-equipped memory sticks, and corrupt websites to load tools into these devices, most of which run standard/older operating systems and proprietary software.

"Once inside the network, these attackers move laterally in search of high-profile targets from which they can ultimately exfiltrate intellectual property and patient data," says Moshe Ben-Simon, co-founder and VP of services at TrapX Labs.

One successful penetration is often enough to give hackers access to the network, where they can find unprotected devices to host attacks, chat with humans, and access information. It's difficult to mitigate the effects of MEDJACK; many hospitals don't even know it happens.

"Unfortunately, hospitals do not seem to be able to detect MEDJACK or remediate it," Simon explains. "The great majority of existing cyber-defense suites do not seem able to detect attackers moving laterally from these compromised devices."

Ransomware attacks on large and mid-sized healthcare organizations have also become more diverse. The financial depth and criticality of operations make them easy targets. It's one thing to close a business for one day; it's entirely different to force a hospital shutdown.

A July 2016 survey conducted by Solutionary discovered healthcare is the industry most frequently targeted by malware, accounting for 88% of all detections in Q2. Hackers target healthcare because organizations will usually pay ransom for valuable patient data.

TrapX researchers predict ransomware will reach "unprecedented levels" next year as quick ROI, and easy access to untraceable money such as Bitcoin, make it easier for hackers to launch more attacks at once.

It's one prediction among many that spell trouble for the healthcare industry in 2017.

Experts anticipate cyberattacks targeting the industry will continue to set records, as most hospitals are unaware of breaches and will remain vulnerable to advanced attacks via medical devices. Mid-sized healthcare businesses will be targeted more often, they predict.

However, more advanced equipment may not necessarily solve problems. The Internet of Things is expected to generate new attack vectors, as most IoT devices don't have built-in security and don't let third parties install protective software. If compromised, they provide a backdoor for hackers that can be used for months without hospitals noticing.

Going forward, healthcare organizations will be forced to implement sorely needed security practices. A study from the Healthcare Information and Management Systems Society (HIMSS) found most fail to adopt basic safeguards like anti-malware tools, firewalls, and encryption.

Even as major breaches make headlines, it's difficult to get healthcare execs to tighten their focus on security.

"Traditionally healthcare providers are in the business of saving lives, so the IT security staffs have a difficult time competing for budget dollars," says Lee Kim, HIMSS director of privacy and security. "As recent as five years ago, you would hear people saying that people wouldn't want to attack a healthcare facility because they didn't believe anyone would want to do harm to the patients."

Related Content:

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance & Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she's not catching up on the latest in tech, Kelly enjoys ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
haemorrhoiden-selbst-behandeln
50%
50%
haemorrhoiden-selbst-behandeln,
User Rank: Apprentice
1/16/2017 | 6:42:03 AM
security issue
Healtcare IT departments often lags on security. Last year randsomware attacks showed the weakness and IT-admins got some homework to do. Hopefully it will not happen again in this dimension.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/28/2016 | 11:56:22 AM
Attacking healthcare
"Article mentioned "people wouldn't want to attack a healthcare facility because they didn't believe anyone would want to do harm to the patients"

We know that is not the case, patients are people, and they want to attack anything they can including people.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/28/2016 | 11:55:51 AM
Re: Hacking Healthcare
"your EHR usage and allocate that to beefing up both your software/network and personnel/building security practices."

Another good point. Sometimes it is not the system everything else around it. Gmail is quite secure with two factor authentication and yet we see they are able to hack Gmail account.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/28/2016 | 11:52:00 AM
hospitals unaware of breaches
Hospitals are unaware of breaches and as many other organizations, remember Yahoo, they told us they were hacked a few years earlier. Damage may be worse if we do not know early enough
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/28/2016 | 11:51:31 AM
Re: Hacking Healthcare
"A good social engineer only needs to get a malware USB plugged into one or two devices to have access to the hospital network. "

Good point. As we know we will all take the USB drive we found in the parking lot and plug in the computers to see what is inside. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
12/28/2016 | 11:49:07 AM
Ransomware and healthcare data
As article stated hackers target healthcare because organizations will usually pay ransom for patient data simply because the alternative is more costly. They will pay and may not even reveal that there was ransomware attack.
chakhloo
50%
50%
chakhloo,
User Rank: Apprentice
12/23/2016 | 4:51:16 PM
Microsoft Professional Support
This is really a nice post. Thanks for sharing this to us !
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
12/22/2016 | 7:09:40 PM
Hacking Healthcare
There are a couple different mindsets that need to change here.  The first is that idea of some of the smaller healthcare organizations (mostly individual practices) that hackers aren't interested in hurting patients.  Technically most aren't, but it isn't anything to do with their well-being anyway, but more to do with their personal information.  Once healthcare practices understand that data is used to create new identities, obtain credit cards and used for insurance fraud, they'll realize that by setting up more secure practices they are directly impacting their patients in a positive way. 

The other mindset that needs to change is how larger organizations (the Cedars and Kaisers of the world) deal with drug and device vendors.  These people come and go, sometimes getting into patient care areas, with access to medical devices on the floor.  A good social engineer only needs to get a malware USB plugged into one or two devices to have access to the hospital network.  Even easier, convincing a young intern to plug in a USB and "print something" for them will do the trick, too. 

Some of the larger hospitals are now implementing large Electronic Health Records that require various levels of security even to run properly so that's a plus on one hand, but on the other hand the distraction of large implementations can cover up the low-tech hacks that never get old, and never go away.  Let's take some of that money you're now earning from the governement, folks, for your EHR usage and allocate that to beefing up both your software/network and personnel/building security practices. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.