Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:15 PM
Connect Directly

Major Cyberattacks On Healthcare Grew 63% In 2016

US hospitals lack new technologies and best practices to defend against threats, new report says.

Some 93 major cyberattacks hit healthcare organizations this year, up from 57 in 2015, new research shows.

TrapX Labs, a division of TrapX Security, found this 63% increase in attacks on the healthcare industry for the period between January 1, 2016 and December 12. Some may have been ongoing prior to Jan. 1, but for consistency, researchers only used official reporting dates to the Department of Health and Human Services, Office of Civil Rights (HHS OCR).

Among the largest attacks were those on Banner Health (3.6M records), Newkirk Products (3.4M records), 21st Century Oncology (2.2M records), and Valley Anesthesiology Consultants (0.88M records).

Sophisticated attackers are now responsible for 31% of all major HIPAA data breaches reported this year, a 300% increase over the past three years, according to the report. Cybercriminals were responsible for 10% of all major data breaches in 2014 and 21% in 2015.

Despite the rise in attacks, the number of records breached dropped to about 12,057,759. That said, so many millions of health records have been stolen that the value of individual records decreased this year, TrapX reported.

Researchers pinpointed two major trends from 2016: the continued discovery and evolution of medical device hijacking, which TrapX calls MEDJACK and MEDJACK.2, and the increase of ransomware across a variety of targets.

MEDJACK involves the use of backdoors in medical devices like diagnostic or life-support equipment. Hackers use emailed links, malware-equipped memory sticks, and corrupt websites to load tools into these devices, most of which run standard/older operating systems and proprietary software.

"Once inside the network, these attackers move laterally in search of high-profile targets from which they can ultimately exfiltrate intellectual property and patient data," says Moshe Ben-Simon, co-founder and VP of services at TrapX Labs.

One successful penetration is often enough to give hackers access to the network, where they can find unprotected devices to host attacks, chat with humans, and access information. It's difficult to mitigate the effects of MEDJACK; many hospitals don't even know it happens.

"Unfortunately, hospitals do not seem to be able to detect MEDJACK or remediate it," Simon explains. "The great majority of existing cyber-defense suites do not seem able to detect attackers moving laterally from these compromised devices."

Ransomware attacks on large and mid-sized healthcare organizations have also become more diverse. The financial depth and criticality of operations make them easy targets. It's one thing to close a business for one day; it's entirely different to force a hospital shutdown.

A July 2016 survey conducted by Solutionary discovered healthcare is the industry most frequently targeted by malware, accounting for 88% of all detections in Q2. Hackers target healthcare because organizations will usually pay ransom for valuable patient data.

TrapX researchers predict ransomware will reach "unprecedented levels" next year as quick ROI, and easy access to untraceable money such as Bitcoin, make it easier for hackers to launch more attacks at once.

It's one prediction among many that spell trouble for the healthcare industry in 2017.

Experts anticipate cyberattacks targeting the industry will continue to set records, as most hospitals are unaware of breaches and will remain vulnerable to advanced attacks via medical devices. Mid-sized healthcare businesses will be targeted more often, they predict.

However, more advanced equipment may not necessarily solve problems. The Internet of Things is expected to generate new attack vectors, as most IoT devices don't have built-in security and don't let third parties install protective software. If compromised, they provide a backdoor for hackers that can be used for months without hospitals noticing.

Going forward, healthcare organizations will be forced to implement sorely needed security practices. A study from the Healthcare Information and Management Systems Society (HIMSS) found most fail to adopt basic safeguards like anti-malware tools, firewalls, and encryption.

Even as major breaches make headlines, it's difficult to get healthcare execs to tighten their focus on security.

"Traditionally healthcare providers are in the business of saving lives, so the IT security staffs have a difficult time competing for budget dollars," says Lee Kim, HIMSS director of privacy and security. "As recent as five years ago, you would hear people saying that people wouldn't want to attack a healthcare facility because they didn't believe anyone would want to do harm to the patients."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/16/2017 | 6:42:03 AM
security issue
Healtcare IT departments often lags on security. Last year randsomware attacks showed the weakness and IT-admins got some homework to do. Hopefully it will not happen again in this dimension.
User Rank: Ninja
12/28/2016 | 11:56:22 AM
Attacking healthcare
"Article mentioned "people wouldn't want to attack a healthcare facility because they didn't believe anyone would want to do harm to the patients"

We know that is not the case, patients are people, and they want to attack anything they can including people.
User Rank: Ninja
12/28/2016 | 11:55:51 AM
Re: Hacking Healthcare
"your EHR usage and allocate that to beefing up both your software/network and personnel/building security practices."

Another good point. Sometimes it is not the system everything else around it. Gmail is quite secure with two factor authentication and yet we see they are able to hack Gmail account.
User Rank: Ninja
12/28/2016 | 11:52:00 AM
hospitals unaware of breaches
Hospitals are unaware of breaches and as many other organizations, remember Yahoo, they told us they were hacked a few years earlier. Damage may be worse if we do not know early enough
User Rank: Ninja
12/28/2016 | 11:51:31 AM
Re: Hacking Healthcare
"A good social engineer only needs to get a malware USB plugged into one or two devices to have access to the hospital network. "

Good point. As we know we will all take the USB drive we found in the parking lot and plug in the computers to see what is inside. 
User Rank: Ninja
12/28/2016 | 11:49:07 AM
Ransomware and healthcare data
As article stated hackers target healthcare because organizations will usually pay ransom for patient data simply because the alternative is more costly. They will pay and may not even reveal that there was ransomware attack.
User Rank: Strategist
12/23/2016 | 4:51:16 PM
Microsoft Professional Support
This is really a nice post. Thanks for sharing this to us !
User Rank: Ninja
12/22/2016 | 7:09:40 PM
Hacking Healthcare
There are a couple different mindsets that need to change here.  The first is that idea of some of the smaller healthcare organizations (mostly individual practices) that hackers aren't interested in hurting patients.  Technically most aren't, but it isn't anything to do with their well-being anyway, but more to do with their personal information.  Once healthcare practices understand that data is used to create new identities, obtain credit cards and used for insurance fraud, they'll realize that by setting up more secure practices they are directly impacting their patients in a positive way. 

The other mindset that needs to change is how larger organizations (the Cedars and Kaisers of the world) deal with drug and device vendors.  These people come and go, sometimes getting into patient care areas, with access to medical devices on the floor.  A good social engineer only needs to get a malware USB plugged into one or two devices to have access to the hospital network.  Even easier, convincing a young intern to plug in a USB and "print something" for them will do the trick, too. 

Some of the larger hospitals are now implementing large Electronic Health Records that require various levels of security even to run properly so that's a plus on one hand, but on the other hand the distraction of large implementations can cover up the low-tech hacks that never get old, and never go away.  Let's take some of that money you're now earning from the governement, folks, for your EHR usage and allocate that to beefing up both your software/network and personnel/building security practices. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...