Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/13/2020
05:45 PM
50%
50%

Healthcare Industry Sees Respite From Attacks in First Half of 2020

Breach disclosures are down, and reported ransomware attacks have also plummeted. Good news -- or a calm before the storm?

The number of breaches disclosed by healthcare companies to the US government declined slightly in the first half of the year compared with the latter half of 2019, according to a new analysis of the data provided by the US Department of Health and Human Services. 

The analysis found the number of breach reports declined 10% in the first half of 2020 compared with the previous six months, and the number of compromised records fell by a stunning 83%. Combined with a previously reported decline in reported ransomware attacks on healthcare organizations, the study suggests healthcare companies are seeing fewer cyberattacks. 

The reason for the respite, however, is not clear. The data could suggest that healthcare companies have become more serious about cybersecurity or that cybercriminals have made good on a reported pledge to not interfere with healthcare during the pandemic.

Neither explanation is likely, says Drex DeFord, strategic executive at CI Security, which published the data in a report released today. CIOs have told the company that they are pushing their systems to the limit by having thousands of people work from home, supporting mobile medical staff, and dealing with new suppliers, he says.

"What we are seeing in the breach portal does not feel very consistent with the disruption of sending people home to work, adding a lot of IoT, connecting a lot of new medical devices, and connecting to a lot of new suppliers because you can't get an adequate supply of PPE," DeFord says. "There are a lot of things in there that lead us to believe that there should be more cybercrime and more breaches than are being reported."

Yet breaches are not the only type of attack that declined in the first half. Ransomware targeting healthcare organizations also plummeted, dropping by nearly a factor of 10, from at least 764 incidents in all of 2019 to 41 reported incidents in the first half of 2020

The surge in 2019 came because cybercriminals found fertile ground for ransomware in the healthcare organizations' vulnerability to phishing attacks and network exploits, and because the organizations could not suffer much downtime to their operations, security software provider Emsisoft said in its 2019 report.

"Ransomware incidents increased sharply in 2019 due to organizations' existing security weaknesses and the development of increasingly sophisticated attack mechanisms specifically designed to exploit those weaknesses—combined, these factors created a near-perfect storm," the company stated.

Emsisoft's latest report on ransomware in the first six months of 2020 does not directly attempt to explain the decline in attacks, except to say: "Between January and April 2020, the number of successful attacks on public sector entities decreased month-over-month as the COVID-19 crisis worsened."

Distributed denial-of-service (DDoS), however, is one type of attack that has apparently increased. Network security firm NetScout has seen a 25% increase in DDoS attacks in the first half of 2020 compared with the same period a year ago, the company said. The increase in use of telemedicine during the pandemic may make doctors' offices and hospitals a larger target, says Hardik Modi, assistant vice president of engineering for Netscout's threat and mitigation products.

"The provisioning and delivery of healthcare has undergone a sea change during the COVID period, with a large growth in the use of telehealth," he says. "The increase in prominence of such services tends to attract the attention of the criminal element on the Internet, whether for ransom/extortion campaigns or sheer nihilism.”

Dark Reading's own analysis of the US Department of Health and Human Services data shows the number of breaches has declined on average by about 3% in the first half of 2020 compared with the previous six months. In addition, outside of a few major breaches — such as the leak of records by the American Medical Collection Agency that its clients, such as Lab Corp. and Optum360, recorded in July 2019 — the overall number of compromised records remained fairly steady.

The decline in breaches noted in the CI Security report could also be because healthcare firms are not reporting ransomware as a breach or because the organizations do not have the visibility to track threats in their newly distributed workforce. The latter issue could mean attackers have infiltrated networks, but they are doing reconnaissance rather than immediately attacking, says CI Security's DeFord.

"We are looking at the second half of 2020 and considering the amount of dwell time we see with cybercriminals in typical corporate networks," he says. "Our feeling is that they are doing a lot of exploration before they decide to set off ransomware, so we think the second half of 2020 is going to be rough."

Related Content:

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RobertMeyers
100%
0%
RobertMeyers,
User Rank: Author
8/13/2020 | 7:00:16 PM
Lack of information, not a lack of breaches
The following is the key to this, "The decline in breaches noted in the CI Security report [https://cybersecurity.ci.security/2020-H1-Healthcare-Data-Breach-Report] could also be because healthcare firms are not reporting ransomware as a breach or because the organizations do not have the visibility to track threats in their newly distributed workforce."  

The likelihood of there being an actual drop is very low.  Please remember that it is often 3-6 months or more before a breach is even found.  This is very complicated when you look at the reality of the last 6 months for IT teams.  Their job has been 100% focused on keeping companies operating.  Many security functions have simply not been kept up with.

You should expect to see a much larger than normal increase in the second half of the year.

Thanks for keeping people in the know on what is happening with your article by the way.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...