Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/13/2020
05:45 PM
50%
50%

Healthcare Industry Sees Respite From Attacks in First Half of 2020

Breach disclosures are down, and reported ransomware attacks have also plummeted. Good news -- or a calm before the storm?

The number of breaches disclosed by healthcare companies to the US government declined slightly in the first half of the year compared with the latter half of 2019, according to a new analysis of the data provided by the US Department of Health and Human Services. 

The analysis found the number of breach reports declined 10% in the first half of 2020 compared with the previous six months, and the number of compromised records fell by a stunning 83%. Combined with a previously reported decline in reported ransomware attacks on healthcare organizations, the study suggests healthcare companies are seeing fewer cyberattacks. 

The reason for the respite, however, is not clear. The data could suggest that healthcare companies have become more serious about cybersecurity or that cybercriminals have made good on a reported pledge to not interfere with healthcare during the pandemic.

Neither explanation is likely, says Drex DeFord, strategic executive at CI Security, which published the data in a report released today. CIOs have told the company that they are pushing their systems to the limit by having thousands of people work from home, supporting mobile medical staff, and dealing with new suppliers, he says.

"What we are seeing in the breach portal does not feel very consistent with the disruption of sending people home to work, adding a lot of IoT, connecting a lot of new medical devices, and connecting to a lot of new suppliers because you can't get an adequate supply of PPE," DeFord says. "There are a lot of things in there that lead us to believe that there should be more cybercrime and more breaches than are being reported."

Yet breaches are not the only type of attack that declined in the first half. Ransomware targeting healthcare organizations also plummeted, dropping by nearly a factor of 10, from at least 764 incidents in all of 2019 to 41 reported incidents in the first half of 2020

The surge in 2019 came because cybercriminals found fertile ground for ransomware in the healthcare organizations' vulnerability to phishing attacks and network exploits, and because the organizations could not suffer much downtime to their operations, security software provider Emsisoft said in its 2019 report.

"Ransomware incidents increased sharply in 2019 due to organizations' existing security weaknesses and the development of increasingly sophisticated attack mechanisms specifically designed to exploit those weaknesses—combined, these factors created a near-perfect storm," the company stated.

Emsisoft's latest report on ransomware in the first six months of 2020 does not directly attempt to explain the decline in attacks, except to say: "Between January and April 2020, the number of successful attacks on public sector entities decreased month-over-month as the COVID-19 crisis worsened."

Distributed denial-of-service (DDoS), however, is one type of attack that has apparently increased. Network security firm NetScout has seen a 25% increase in DDoS attacks in the first half of 2020 compared with the same period a year ago, the company said. The increase in use of telemedicine during the pandemic may make doctors' offices and hospitals a larger target, says Hardik Modi, assistant vice president of engineering for Netscout's threat and mitigation products.

"The provisioning and delivery of healthcare has undergone a sea change during the COVID period, with a large growth in the use of telehealth," he says. "The increase in prominence of such services tends to attract the attention of the criminal element on the Internet, whether for ransom/extortion campaigns or sheer nihilism.”

Dark Reading's own analysis of the US Department of Health and Human Services data shows the number of breaches has declined on average by about 3% in the first half of 2020 compared with the previous six months. In addition, outside of a few major breaches — such as the leak of records by the American Medical Collection Agency that its clients, such as Lab Corp. and Optum360, recorded in July 2019 — the overall number of compromised records remained fairly steady.

The decline in breaches noted in the CI Security report could also be because healthcare firms are not reporting ransomware as a breach or because the organizations do not have the visibility to track threats in their newly distributed workforce. The latter issue could mean attackers have infiltrated networks, but they are doing reconnaissance rather than immediately attacking, says CI Security's DeFord.

"We are looking at the second half of 2020 and considering the amount of dwell time we see with cybercriminals in typical corporate networks," he says. "Our feeling is that they are doing a lot of exploration before they decide to set off ransomware, so we think the second half of 2020 is going to be rough."

Related Content:

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RobertMeyers
100%
0%
RobertMeyers,
User Rank: Author
8/13/2020 | 7:00:16 PM
Lack of information, not a lack of breaches
The following is the key to this, "The decline in breaches noted in the CI Security report [https://cybersecurity.ci.security/2020-H1-Healthcare-Data-Breach-Report] could also be because healthcare firms are not reporting ransomware as a breach or because the organizations do not have the visibility to track threats in their newly distributed workforce."  

The likelihood of there being an actual drop is very low.  Please remember that it is often 3-6 months or more before a breach is even found.  This is very complicated when you look at the reality of the last 6 months for IT teams.  Their job has been 100% focused on keeping companies operating.  Many security functions have simply not been kept up with.

You should expect to see a much larger than normal increase in the second half of the year.

Thanks for keeping people in the know on what is happening with your article by the way.
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.