11:00 AM
Connect Directly

Cancer Center Breach Another Symptom Of Healthcares Growing Epidemic

Healthcare organizations suffered nearly one cyberattack per month in the past year, with nearly 50% saying patient information was exposed.

Some 2.2 million current and former patients of cancer center 21st Century Oncology are being notified this month of a data breach that exposed their social security numbers, doctors’ names, diagnosis and treatment, and insurance information. The news comes on the heels of a high-profile ransomware attack against Hollywood Presbyterian Medical Center in Los Angeles, Calif., that held the hospital's systems for ransom until Hollywood Presbyterian paid the $17,000 ransom.

Healthcare organizations suffer about one cyberattack per month on average as well as the loss or exposure of patient data, according to a new Ponemon Group report published last week. About 13% of healthcare organizations in the US don’t know for sure how many attacks they have experienced, the report found.

The writing has been on the wall for some time: healthcare is a juicy target for financial cybercrime. A recent analysis by Trend Micro of 10 years of data breaches catalogued by nonprofit Privacy Rights Clearinghouse found that more than one-fourth of all reported data breaches since 2005 came from healthcare organizations. And those are only the ones that were reported; experts believe this is only the tip of the iceberg today in healthcare, where patient financial and insurance information is financially lucrative for the bad guys.

21st Century Oncology, a physician-led provider of integrated cancer care services in the 181 treatment centers across the US and Latin America, says it was alerted by the FBI in November of last year that an attacker had stolen its patient information, likely from one of its databases that housed patient names, social security numbers, physicians, diagnosis and treatment, and insurance information. The FBI asked 21st Century Oncology to hold off on announcing the incident initially during its investigation of the attack.

The healthcare company said in a statement: 

"21st Century Oncology is currently investigating an unauthorized third party intrusion into our network. The FBI recently advised 21st Century that patient information was illegally obtained by an unauthorized third party who may have gained access to a 21st Century database. Upon learning of the intrusion, we immediately hired a leading forensics firm to support our investigation, assess our systems and bolster security. In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future."

Cameron Camp, a senior security researcher with ESET, which commissioned the Ponemon Group study, says it’s likely that many healthcare organizations don’t even know their networks have been infiltrated. "I imagine this industry is in kind of a discovery phase," Camp says.

Some 535 IT and IT security practitioners in healthcare organizations were surveyed for the report, most of whom come from organizations with 100- to 500 employees.

Twenty-six percent of healthcare organizations in the study weren’t sure if they had suffered a cyber incident in the past year that lost or exposed patient information, Cameron says. That’s "almost slightly more scary," he says.

And software vulnerabilities older than three months old are the most common root of attacks against healthcare organizations. Nearly 80% point to those older vulns, and 75% say Web-borne malware was the culprit. Software vulns less than three months old (70%), spear phishing (69%), and lost or stolen devices (61%) were the other most common security incidents suffered by healthcare.

"There’s a disconnect between perception of security and compliance-driven security," Camp says of the healthcare organizations’ responses in the report. "What they thought were bad things and what actually happened is sort of interesting."

Healthcare organizations in the study they were hit with vulnerabilities that were more than three months old, so those bugs apparently hadn’t been patched. "They’re getting hit by old exploits. Is that a knowledge gap?" says Camp, who will deliver a presentation in May at Interop Las Vegas on how malware infiltrates virtual systems.

Advanced persistent threat (APT) incidents hit healthcare about once every three months, according to the Ponemon study. About one-fourth of the respondents say their organization has defenses against these types of attacks, and 21% say they are unsure if they do. When they are hit by an APT or zero-day attack, 63% say it causes mainly IT downtime, followed by disruption of services for patient care (46%) and theft of personal information (44%).

More than one-third of healthcare organizations suffered a DDoS attack in the past 12 months that cost them an average of $1.32 million.

Healthcare organizations aren’t very confident about their security, either: just 33% feel their security is "very effective," with a lack of resources and proper funding the bulk of the underlying problem. Spending-wise, healthcare organizations are logging some $23 million on IT, 12% of which goes to security. More than 80% of healthcare organizations say patient medical records is the most lucrative information for cybercriminals and other cyber-attackers, followed by patient billing information (64%) and clinical trial and research (50%).

"The fact that 21st Century Oncology has been breached should set off alarm bells to other companies in the healthcare industry," says Kevin Watson, CEO of Netsurion, a data and network security services provider for healthcare and other organizations. "We know that hackers are in constant pursuit of highly sensitive, personal data and that they are equipped with sophisticated methods to gain access to it."

Related Content:


Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.