What Can the Industry Learn from Recent High-Profile Healthcare Cyber Attacks? | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

What Can the Industry Learn from Recent High-Profile Healthcare Cyber Attacks?

July 26, 2018
by Heather Landi
| Reprints
The recent cyber attack on Singapore’s public health system represents a "big picture" pattern, one cybersecurity expert says
Click To View Gallery

While a recent report found that healthcare ransomware attacks declined in the first half of 2018, a spate of recent high-profile healthcare cybersecurity incidents the past few months serves as a stark reminder that the healthcare industry continues to be a ripe target for cyber attacks.

A cyber attack on Singapore’s public health system, SingHealth, breached the records of 1.5 million people and targeted the country’s prime minister, Singapore Ministry of Health officials announced on July 20. The breach impacted about a quarter of Singapore’s population of 5.6 million people. In a statement, officials said that it was a “deliberate, targeted and well-planned cyber attack,” and “not the work of casual hackers or criminal gangs.”

The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines, Ministry of Health officials said. Around 1.5 million people who visited outpatient clinics from May 1, 2015, to July 4, 2018 this year had their personal data accessed and copied, including names, identification card numbers, addresses, race, gender and dates of birth, officials said.

Kurt Long, CEO of healthcare data privacy company FairWarning, said the SingHealth data breach represents a “big picture” pattern. “Attackers and insider threats are increasingly more sophisticated in their tactics and can conduct widescale attacks associated with espionage, drug diversion, blackmail, fraud, identity theft, and cybersecurity attacks. Care providers need to implement robust behavioral monitoring tools to prevent incidents before they start,” Long said.

LabCorp, one of the largest clinical labs in the U.S., says it was hit with a new variant of ransomware during the weekend of July 14 and the company immediately took certain IT systems offline, according to a company statement. The public became aware of the security incident when LabCorp disclosed the incident via an 8-K filing with the Securities Exchange Commission. In that disclosure, the Burlington, N.C.-based laboratory diagnostics company said it had “detected suspicious activity on its information technology network.”

Webinar

Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of...

LabCorp said it immediately took certain systems offline as part of its comprehensive response to contain the activity and noted that this “temporarily affected test processing and customer access to test results on or over the weekend.” In a statement posted on its website, LabCorp said the “suspicious activity” was subsequently determined to be a new variant of ransomware. Operations have returned to normal, the company said.

The ransomware was detected only on LabCorp Diagnostics systems; Covance Drug Development systems were not affected by the ransomware. “As part of our in-depth and ongoing investigation into this incident, LabCorp has engaged outside security experts and is working with authorities, including law enforcement. The investigation has found no evidence of theft or misuse of customer or patient data,” the company stated. “We are confident that this ransomware did not and cannot spread to customer networks. LabCorp blocked the ransomware and enhanced our security measures, and thus we are confident that this particular ransomware cannot re-emerge on the LabCorp network.”

“This incident sheds light on how vulnerable the healthcare industry still is, and the value of the information within healthcare organizations,” Bill Dixon, a cybersecurity advisor with Kroll, a New York City-based risk solutions provider, says. Dixon is the associate managing director of Kroll’s cyber risk practice in the Los Angeles office.

More importantly, Dixon says, the LabCorp incident highlights the importance of having a solid, effective incident response plan. “In this particular case, it looks like they made a business decision to shut certain down parts of the business until they mitigated it correctly.”

Dixon also notes that while advanced cybersecurity technology solutions can help strengthen an organization’s defenses, smaller organizations that do not have those resources can still protect their systems and data. “Independent of the technology, the plan itself is really going to be what drives incident response. Having something in place where they can coordinate and understand who is doing what, and really build up a solid foundation of communication and roles and responsibilities, is going to be extremely important in that situation,” he says.

Fred Kneip, CEO of Denver-based risk management platform provider CyberGRX, said the LabCorp security incident highlights the need for healthcare organizations to be vigilant about managing third-party security. “Healthcare providers need to understand the level of risk introduced by each member of their dynamic portfolio of third-party providers, because it only takes one vulnerability for attackers to get in. It’s critical that healthcare organizations have the ability to assess third-party risk in real time, track emerging exposures and remediate issues like this LabCorp attack as they occur.”

Effective strategies to address ongoing and evolving cyber threats

A report from cybersecurity firm Rockville, Md.-based Cryptonite found that, in the first half of 2018, ransomware events in major healthcare data breaches diminished substantially compared to the same time period last year. However, recent attacks suggest that ransomware is alive and well in healthcare and reinforces the need for healthcare organizations to strengthen their defenses.

A Missouri health system, Cass Regional Medical Center, was hit with a ransomware attack July 9, forcing the health system to take its electronic health record (EHR) system down for a week, while also diverting emergency patients to other hospitals. Cass Regional Medical Center posted a statement to its website July 9 stating that officials became aware of a ransomware attack on the organization’s IT infrastructure, including internal communications and access to its EHR. Hospital leadership initiated the organization's incident response protocol within 30 minutes of the first signs of attack, officials said.

The health system brought its EHR back online July 16, and an investigation by a third-party cyber forensic firm indicates that the system breach was caused by a brute-force attack via Remote Desktop Protocol (RDP), officials stated.

A number of other recent healthcare data breaches also expose the vulnerability of healthcare organizations to cyber attacks. Sunspire Health, a network of addiction treatment facilities, provided notice that several of its employees fell victim to a phishing email campaign that may have exposed patient information during a two-month period. And, July 19, UMC Physicians, part of Lubbock, Texas-based UMC Health System, announced that an employee’s email account was hacked, potentially compromising the personal health information of more than 18,000 patients.

In addition to ransomware, cybersecurity experts say cryptocurrency mining, or cryptojacking, also is on the rise. A recent Kaspersky Lab report notes that ransomware attackers are searching for more profitable activities such as cryptojacking, which refers to the unauthorized use of someone else’s computer to mine cryptocurrency.

“Cryptocurrency mining is essentially using computer resources to generate a cryptocurrency, whether that be Bitcoin or any of the other hundreds of other crypto currencies that exist out there,” Dixon says. “The cryptocurrency software will just run in the background and it uses a lot of the computing resources.” Dixon adds that cryptocurrency mininig code is often difficult to detect, but it often results in slower performance or lags in execution on the network.

Cybersecurity experts say healthcare security leaders can take steps to minimize the risk of being a target of cryptojacking, such as including the crypto mining threat in cybersecurity awareness training, as it’s often delivered via phishing-type emails, and training IT security teams to look for signs of it. Organizations should also use endpoint protection that is capable of detecting known crypto miners and should consider deploying network monitoring solutions.

Tackling insider threats

A recent survey found that may healthcare professionals are more concerned about insider threats to health data security than external breaches. In fact, an overwhelming majority of IT professionals see insiders as an equal or greater threat to unwanted exposure of sensitive data, the survey found.

“What I’ve seen, with organizations that are addressing insider threats well, is that they’ve started to develop programs where they are doing detection, and it doesn’t mean having more advanced technology than someone else. They are looking at who is accessing data and who is accessing the system at certain times? Is this something they should have access to? How long are they spending in certain applications looking at various files? And then they start to build a comprehensive monitoring program,” Dixon says.

Dixon also notes that having a robust identity management and access control program is essential as well. “You have to look at, who is it that should have access to certain data elements? And why do they need to have access to it? Do they need permanent access to that data?”

While Dixon acknowledges that simulated phishing exercises are an important part of employee cybersecurity awareness training, he notes that some organizations are moving forward on more advanced strategies. “Hospitals are looking at who, within their user population, is the most likely to be breached from a user perspective. They are looking at individual users to understand what they have access to and how they access data. Are they a remote employee? Do they have mobile devices? Then they identify users who are a bigger risk because they have multiple avenues to access data, and that creates more vulnerability,” he says.

He adds, “Simulated phishing exercises and security awareness training are great, but those are for the masses. Today’s phishing exploits are extremely sophisticated and they take advantage of the fact that today, in 2018, we have eliminated traditional forms of communication, such as calling someone on the phone to ask someone what a certain email is about. Phishing exploits those trust relationships that exist.”


The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


/article/cybersecurity/what-can-industry-learn-recent-high-profile-healthcare-cyber-attacks
/news-item/cybersecurity/health-first-data-breach-exposes-information-42k-patients

Health First Data Breach Exposes Information of 42K Patients

November 15, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

A data breach at Florida-based Health First exposed the personal information of some 42,000 patients, according to various industry media reports this week.

The website DataBreaches.net reported that in early October, the healthcare provider Health First notified the Department of Health & Human Services (HHS) of a breach that affected 42,000 patients.  The breach actually occurred earlier in the year, however, between February and May 2018, according to the report, which received a statement from the organization’s senior vice president, consumer and retail services.

The Health First executive noted that “a small number of our employees were the victims of a phishing scam which compromised some of our customers’ information. The criminals were able to gain access of these employees’ email accounts for a limited period of time.”

Health First officials also told Florida Today this week that the data breach “was fairly low-level, though it could have included some customers' Social Security numbers. Mostly it appears to have involved information such as addresses and birth dates. No medical information was compromised,” according to this report.

Phishing attacks continue to plague the healthcare industry; the single largest breach this year was a hacking incident affecting 1.4 million patient records that involved UnityPoint Health, an Iowa-based health system. That said, cybersecurity professionals are still looking for more advanced ways to get out in front of these attacks, as healthcare has traditionally lagged behind other industries in in phishing resiliency.

More From Healthcare Informatics

/webinar/components-strong-cybersecurity-program-closer-look-endpoint-security-best-practices

Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Tuesday, December 18, 2018 | 1:00 p.m. ET, 12:00 p.m. CT

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of endpoints.

Attend this session to learn why it's more important than ever for healthcare organizations to actively manage their full range of endpoints, endpoint security best practices, and how your endpoint management strategy may need to evolve over time.

Related Insights For: Cybersecurity

/news-item/cybersecurity/44m-patient-records-breached-q3-2018-protenus-finds

4.4M Patient Records Breached in Q3 2018, Protenus Finds

November 7, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

There were 117 disclosed health data breaches in the third quarter of 2018, leading to 4.4 million patient records breached, according to the Q3 Protenus Breach Barometer report.

Published by Protenus, a cybersecurity software company that issues a Breach Barometer report each month, the most recent data shows that although the number of incidents disclosed in Q3 decreased somewhat from Q2, the number of breached records increased from Q2 to Q3. Also, the number of affected patient records has continued to climb each quarter in 2018—from 1.13 million in Q1 to 3.14 million in Q2 to 4.4 million in Q3.

In Q3, the report noted that the single largest breach was a hacking incident affecting 1.4 million patient records that involved UnityPoint Health, an Iowa-based health system. Hackers used phishing techniques, “official-looking emails”, to gain access to the organization’s email system and capture employees’ passwords. This new incident follows one that took place at the same organization in April when 16,400 patient records were breached as a result of another phishing attack.

For incidents disclosed to HHS (the Department of Health & Human Services) or the media, insiders were responsible for 23 percent of the total number of breaches in Q3 2018 (27 incidents). Details were disclosed for 21 of those incidents, affecting 680,117 patient records (15 percent of total breached patient records). For this analysis, insider incidents are characterized as either insider-error or insider-wrongdoing. The former includes accidents and other incidents without malicious intent that could be considered “human error.” 

There were 19 publicly disclosed incidents that involved insider-error between July and September 2018. Details were disclosed for 16 of these incidents, affecting 389,428 patient records. In contrast, eight incidents involved insider-wrongdoing, with data disclosed for five of these incidents.

Notably, when comparing each quarter in 2018, there has been a drastic increase in the number of breached patient records as a result of insider-wrongdoing. In Q1 2018, there were about 4,600 affected patient records, in Q2 2018 there were just over 70,000 affected patient records, and in Q3 there were more than 290,000 affected patient records tied to insider-wrongdoing.

What’s more, the report found that hacking continues to threaten healthcare organizations, with another increase in incidents and affected patient records in the third quarter of 2018. Between July and September, there were 60 hacking incidents—51 percent of all Q3 2018 publicly disclosed incidents. Details were disclosed for 52 of those incidents, which affected almost 3.7 million patient records. Eight of those reported incidents specifically mentioned ransomware or malware, ten incidents mentioned a phishing attack, and two incidents mentioned another form of ransomware or extortion. However, it’s important to note that the number of hacking incidents and affected patient records have dropped considerably when comparing each month between July and September 2018.

Meanwhile, of the 117 health data breaches for which data was disclosed, it took an average of 402 days to discover a breach from when the breach occurred. The median discovery time was 51 days, and the longest incident to be discovered in Q3 2018 was due to insider-wrongdoing at a Virginia-based healthcare organization. This specific incident occurred when an employee accessed thousands of medical records over the course of their 15-year employment.

See more on Cybersecurity

betebettipobetngsbahis bahis siteleringsbahis