The healthcare industry is, once again, on high alert as cybersecurity threats continue to evolve, the latest involving extortion attempts in which a hacker steals data and threatens to publicly release it unless a fee is paid.
As previously reported by Healthcare Informatics last week, a hacker claims to have stolen 655,000 patient records obtained by hacking into three separate healthcare databases and is allegedly selling those patient records on the dark web marketplace. The hacker claims to be trying to sell “a unique one-off copy of each of the three databases which are ranging in price from 151 bitcoin (about $100,000) to 607 bitcoin (about $395,000),” according the original article about the incident published on DeepDotWeb.
And, DeepDotWeb also reported last week that the same hacker claims to have put 9.3 million patient records hacked from a healthcare insurance database up for sale on the dark web, as well. The hacker is supposedly selling that database for 750 bitcoin, or around $485,000, DeepDotWeb reported. That brings the total number of patient records the hacker is selling on the dark web to more than 10 million.
Mac McMillan, noted data security expert and CEO of the Austin, Texas-based consulting firm CynergisTek, says these recent attacks demonstrate the natural evolution of the security threat.
“You have to remember you are dealing with people who have already demonstrated that they will exploit you, why does it surprise anyone that when they are successful, they look for ways to increase that success, like partial releases of data for multiple ransoms? If you will pay once, why not see if you’ll continue to pay? Hence the problem with paying ransoms. Let’s not also forget that this attack was not like before. The attacker here did not encrypt the data, they simply stole it, and then offered it back for ransom. The problem here is that the attacker “DID” actually have access to the data,” he says.
George Conklin, CIO at the Irving, Texas-based Christus Health, a 60-hospital integrated healthcare delivery system, notes that these latest developments in data security are “the new normal.” “It’s an example of the kind creativity that’s out there, and it’s unfortunate that the creativity that’s out there is put to negative ends, but we have to learn to be responsive to it.”
And, McMillan, who has spoken openly and often about cyber defense strategies for healthcare organizations, highlights that there are a number of security measures that organizations should focus on to prevent hackers from gaining access to and extracting data.
“There are several, but first and foremost, one security measure would be simply maintaining their enterprise at a high state of readiness. Then there are monitoring solutions and services to assist in recognizing attacks. And then, finally, technologies to help stop the exfiltration of data such as a data loss prevention solution,” he says.
According to the DeepDotWeb article, the hacker allegedly used “an exploit in how companies use RDP” (remote desktop protocol) to gain access to the three healthcare organizations’ data servers. According to McMillan, this is a “common attack vector in all industry sectors, not just healthcare.”
“It is commonly known that many remote desktop protocols have vulnerabilities and hackers scan the Internet looking for systems with RDP running. First and foremost, turn it off. If you can’t for some reason, make sure it is patched and secured,” he says.
In addition to this alarming development of hackers threatening to sell patient health records on the dark web, there also have been recent data breaches involving unauthorized individuals gaining access to a third-party vendor’s electronic files, and thereby exposing healthcare organizations’ patient files. As previously reported by HCI, a malicious hacker attacked the data servers of ambulatory software and electronic health records vendor Bizmatics, potentially exposing the protected health information of close to 150,000 patients. A healthcare provider in Colorado, Vincent Vein Center, is the latest organization to notify the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) about a breach of protected health information stemming from a malicious hacker attacking Bizmatics’ data servers. By researching the breach incidents filed to OCR, it appears that data breaches affecting at least six healthcare providers stem from the Bizmatics’ data server hack, which, according to letters sent to the vendor’s clients, occurred in January 2015. According to the OCR breach portal, those breaches potentially impact the PHI of 149,776 individuals.
And, HCI Managing Editor Rajiv Leventhal also reported that Massachusetts General Hospital recently acknowledged a breach in which an unauthorized individual gained access to electronic files used on a software vendor’s systems and that breach exposed the information of some 4,300 dental patients.
Healthcare data security experts have pointed out that electronic health records fetch a high price on the black market as they typically contain credit card data, email addresses, Social Security numbers, employment information and medical history record, and cyber thieves can use that data to launch spear phishing attacks, commit fraud and steal medical identities.
The average global cost of a data breach in the healthcare industry is $355 per stolen record, more than twice the average global cost across all industries, according to the Ponemon 2016 Cost of Data Breach study. The study found that the average cost of a data breach for companies surveyed has grown to $4 million, representing a 29 percent increase since 2013, and the average cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 in 2015 to $158 in this year’s study. The average per capita cost of a data breach has increased 15 percent since 2013. That study concluded that data breaches are now a consistent cost of doing business in the cybercrime era.
The fact that patient records continue to be a high target for cyber thieves and these recent breaches highlight that third-party vendors continue to a major security concern for healthcare providers. Even if providers have top security measures in place, they need to consider the vulnerabilities of third- and fourth-party vendors.
“Start by paying close attention to what exactly you share with a third party or give them access to,” McMillan says. “Second evaluate the vendors you do business with. Can they at least demonstrate they understand information security and that they observe good practices? Request your vendors who will have electronic access to your environment or process or who will store information for you provide evidence of an independent third party assessment.”