While a recent report found that healthcare ransomware attacks declined in the first half of 2018, a spate of recent high-profile healthcare cybersecurity incidents the past few months serves as a stark reminder that the healthcare industry continues to be a ripe target for cyber attacks.
A cyber attack on Singapore’s public health system, SingHealth, breached the records of 1.5 million people and targeted the country’s prime minister, Singapore Ministry of Health officials announced on July 20. The breach impacted about a quarter of Singapore’s population of 5.6 million people. In a statement, officials said that it was a “deliberate, targeted and well-planned cyber attack,” and “not the work of casual hackers or criminal gangs.”
The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines, Ministry of Health officials said. Around 1.5 million people who visited outpatient clinics from May 1, 2015, to July 4, 2018 this year had their personal data accessed and copied, including names, identification card numbers, addresses, race, gender and dates of birth, officials said.
Kurt Long, CEO of healthcare data privacy company FairWarning, said the SingHealth data breach represents a “big picture” pattern. “Attackers and insider threats are increasingly more sophisticated in their tactics and can conduct widescale attacks associated with espionage, drug diversion, blackmail, fraud, identity theft, and cybersecurity attacks. Care providers need to implement robust behavioral monitoring tools to prevent incidents before they start,” Long said.
LabCorp, one of the largest clinical labs in the U.S., says it was hit with a new variant of ransomware during the weekend of July 14 and the company immediately took certain IT systems offline, according to a company statement. The public became aware of the security incident when LabCorp disclosed the incident via an 8-K filing with the Securities Exchange Commission. In that disclosure, the Burlington, N.C.-based laboratory diagnostics company said it had “detected suspicious activity on its information technology network.”
LabCorp said it immediately took certain systems offline as part of its comprehensive response to contain the activity and noted that this “temporarily affected test processing and customer access to test results on or over the weekend.” In a statement posted on its website, LabCorp said the “suspicious activity” was subsequently determined to be a new variant of ransomware. Operations have returned to normal, the company said.
The ransomware was detected only on LabCorp Diagnostics systems; Covance Drug Development systems were not affected by the ransomware. “As part of our in-depth and ongoing investigation into this incident, LabCorp has engaged outside security experts and is working with authorities, including law enforcement. The investigation has found no evidence of theft or misuse of customer or patient data,” the company stated. “We are confident that this ransomware did not and cannot spread to customer networks. LabCorp blocked the ransomware and enhanced our security measures, and thus we are confident that this particular ransomware cannot re-emerge on the LabCorp network.”
“This incident sheds light on how vulnerable the healthcare industry still is, and the value of the information within healthcare organizations,” Bill Dixon, a cybersecurity advisor with Kroll, a New York City-based risk solutions provider, says. Dixon is the associate managing director of Kroll’s cyber risk practice in the Los Angeles office.
More importantly, Dixon says, the LabCorp incident highlights the importance of having a solid, effective incident response plan. “In this particular case, it looks like they made a business decision to shut certain down parts of the business until they mitigated it correctly.”
Dixon also notes that while advanced cybersecurity technology solutions can help strengthen an organization’s defenses, smaller organizations that do not have those resources can still protect their systems and data. “Independent of the technology, the plan itself is really going to be what drives incident response. Having something in place where they can coordinate and understand who is doing what, and really build up a solid foundation of communication and roles and responsibilities, is going to be extremely important in that situation,” he says.
Fred Kneip, CEO of Denver-based risk management platform provider CyberGRX, said the LabCorp security incident highlights the need for healthcare organizations to be vigilant about managing third-party security. “Healthcare providers need to understand the level of risk introduced by each member of their dynamic portfolio of third-party providers, because it only takes one vulnerability for attackers to get in. It’s critical that healthcare organizations have the ability to assess third-party risk in real time, track emerging exposures and remediate issues like this LabCorp attack as they occur.”
Effective strategies to address ongoing and evolving cyber threats
A report from cybersecurity firm Rockville, Md.-based Cryptonite found that, in the first half of 2018, ransomware events in major healthcare data breaches diminished substantially compared to the same time period last year. However, recent attacks suggest that ransomware is alive and well in healthcare and reinforces the need for healthcare organizations to strengthen their defenses.
A Missouri health system, Cass Regional Medical Center, was hit with a ransomware attack July 9, forcing the health system to take its electronic health record (EHR) system down for a week, while also diverting emergency patients to other hospitals. Cass Regional Medical Center posted a statement to its website July 9 stating that officials became aware of a ransomware attack on the organization’s IT infrastructure, including internal communications and access to its EHR. Hospital leadership initiated the organization's incident response protocol within 30 minutes of the first signs of attack, officials said.
The health system brought its EHR back online July 16, and an investigation by a third-party cyber forensic firm indicates that the system breach was caused by a brute-force attack via Remote Desktop Protocol (RDP), officials stated.
A number of other recent healthcare data breaches also expose the vulnerability of healthcare organizations to cyber attacks. Sunspire Health, a network of addiction treatment facilities, provided notice that several of its employees fell victim to a phishing email campaign that may have exposed patient information during a two-month period. And, July 19, UMC Physicians, part of Lubbock, Texas-based UMC Health System, announced that an employee’s email account was hacked, potentially compromising the personal health information of more than 18,000 patients.
In addition to ransomware, cybersecurity experts say cryptocurrency mining, or cryptojacking, also is on the rise. A recent Kaspersky Lab report notes that ransomware attackers are searching for more profitable activities such as cryptojacking, which refers to the unauthorized use of someone else’s computer to mine cryptocurrency.
“Cryptocurrency mining is essentially using computer resources to generate a cryptocurrency, whether that be Bitcoin or any of the other hundreds of other crypto currencies that exist out there,” Dixon says. “The cryptocurrency software will just run in the background and it uses a lot of the computing resources.” Dixon adds that cryptocurrency mininig code is often difficult to detect, but it often results in slower performance or lags in execution on the network.
Cybersecurity experts say healthcare security leaders can take steps to minimize the risk of being a target of cryptojacking, such as including the crypto mining threat in cybersecurity awareness training, as it’s often delivered via phishing-type emails, and training IT security teams to look for signs of it. Organizations should also use endpoint protection that is capable of detecting known crypto miners and should consider deploying network monitoring solutions.
Tackling insider threats
A recent survey found that may healthcare professionals are more concerned about insider threats to health data security than external breaches. In fact, an overwhelming majority of IT professionals see insiders as an equal or greater threat to unwanted exposure of sensitive data, the survey found.
“What I’ve seen, with organizations that are addressing insider threats well, is that they’ve started to develop programs where they are doing detection, and it doesn’t mean having more advanced technology than someone else. They are looking at who is accessing data and who is accessing the system at certain times? Is this something they should have access to? How long are they spending in certain applications looking at various files? And then they start to build a comprehensive monitoring program,” Dixon says.
Dixon also notes that having a robust identity management and access control program is essential as well. “You have to look at, who is it that should have access to certain data elements? And why do they need to have access to it? Do they need permanent access to that data?”
While Dixon acknowledges that simulated phishing exercises are an important part of employee cybersecurity awareness training, he notes that some organizations are moving forward on more advanced strategies. “Hospitals are looking at who, within their user population, is the most likely to be breached from a user perspective. They are looking at individual users to understand what they have access to and how they access data. Are they a remote employee? Do they have mobile devices? Then they identify users who are a bigger risk because they have multiple avenues to access data, and that creates more vulnerability,” he says.
He adds, “Simulated phishing exercises and security awareness training are great, but those are for the masses. Today’s phishing exploits are extremely sophisticated and they take advantage of the fact that today, in 2018, we have eliminated traditional forms of communication, such as calling someone on the phone to ask someone what a certain email is about. Phishing exploits those trust relationships that exist.”