Some 2.2 million current and former patients of cancer center 21st Century Oncology are being notified this month of a data breach that exposed their social security numbers, doctors’ names, diagnosis and treatment, and insurance information. The news comes on the heels of a high-profile ransomware attack against Hollywood Presbyterian Medical Center in Los Angeles, Calif., that held the hospital's systems for ransom until Hollywood Presbyterian paid the $17,000 ransom.
Healthcare organizations suffer about one cyberattack per month on average as well as the loss or exposure of patient data, according to a new Ponemon Group report published last week. About 13% of healthcare organizations in the US don’t know for sure how many attacks they have experienced, the report found.
The writing has been on the wall for some time: healthcare is a juicy target for financial cybercrime. A recent analysis by Trend Micro of 10 years of data breaches catalogued by nonprofit Privacy Rights Clearinghouse found that more than one-fourth of all reported data breaches since 2005 came from healthcare organizations. And those are only the ones that were reported; experts believe this is only the tip of the iceberg today in healthcare, where patient financial and insurance information is financially lucrative for the bad guys.
21st Century Oncology, a physician-led provider of integrated cancer care services in the 181 treatment centers across the US and Latin America, says it was alerted by the FBI in November of last year that an attacker had stolen its patient information, likely from one of its databases that housed patient names, social security numbers, physicians, diagnosis and treatment, and insurance information. The FBI asked 21st Century Oncology to hold off on announcing the incident initially during its investigation of the attack.
The healthcare company said in a statement:
"21st Century Oncology is currently investigating an unauthorized third party intrusion into our network. The FBI recently advised 21st Century that patient information was illegally obtained by an unauthorized third party who may have gained access to a 21st Century database. Upon learning of the intrusion, we immediately hired a leading forensics firm to support our investigation, assess our systems and bolster security. In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future."
Cameron Camp, a senior security researcher with ESET, which commissioned the Ponemon Group study, says it’s likely that many healthcare organizations don’t even know their networks have been infiltrated. "I imagine this industry is in kind of a discovery phase," Camp says.
Some 535 IT and IT security practitioners in healthcare organizations were surveyed for the report, most of whom come from organizations with 100- to 500 employees.
Twenty-six percent of healthcare organizations in the study weren’t sure if they had suffered a cyber incident in the past year that lost or exposed patient information, Cameron says. That’s "almost slightly more scary," he says.
And software vulnerabilities older than three months old are the most common root of attacks against healthcare organizations. Nearly 80% point to those older vulns, and 75% say Web-borne malware was the culprit. Software vulns less than three months old (70%), spear phishing (69%), and lost or stolen devices (61%) were the other most common security incidents suffered by healthcare.
"There’s a disconnect between perception of security and compliance-driven security," Camp says of the healthcare organizations’ responses in the report. "What they thought were bad things and what actually happened is sort of interesting."
Healthcare organizations in the study they were hit with vulnerabilities that were more than three months old, so those bugs apparently hadn’t been patched. "They’re getting hit by old exploits. Is that a knowledge gap?" says Camp, who will deliver a presentation in May at Interop Las Vegas on how malware infiltrates virtual systems.
Advanced persistent threat (APT) incidents hit healthcare about once every three months, according to the Ponemon study. About one-fourth of the respondents say their organization has defenses against these types of attacks, and 21% say they are unsure if they do. When they are hit by an APT or zero-day attack, 63% say it causes mainly IT downtime, followed by disruption of services for patient care (46%) and theft of personal information (44%).
More than one-third of healthcare organizations suffered a DDoS attack in the past 12 months that cost them an average of $1.32 million.
Healthcare organizations aren’t very confident about their security, either: just 33% feel their security is "very effective," with a lack of resources and proper funding the bulk of the underlying problem. Spending-wise, healthcare organizations are logging some $23 million on IT, 12% of which goes to security. More than 80% of healthcare organizations say patient medical records is the most lucrative information for cybercriminals and other cyber-attackers, followed by patient billing information (64%) and clinical trial and research (50%).
"The fact that 21st Century Oncology has been breached should set off alarm bells to other companies in the healthcare industry," says Kevin Watson, CEO of Netsurion, a data and network security services provider for healthcare and other organizations. "We know that hackers are in constant pursuit of highly sensitive, personal data and that they are equipped with sophisticated methods to gain access to it."
- 'HIPAA Not Helping': Healthcare's Software Security Lagging
- Healthcare Organizations Twice As Likely To Experience Data Theft
- Healthcare Biggest Offender In 10 Years Of Data Breaches
- Medical Device Security Gets Intensive Care