IBM Report: Insider Threats, Malicious Data Input Pose Biggest Risks to PHI | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

IBM Report: Insider Threats, Malicious Data Input Pose Biggest Risks to PHI

February 3, 2017
by Rajiv Leventhal
| Reprints
Report notes that ransom demands will likely increase on 2017

According to a new healthcare data security report from IBM Managed Security Services (MSS) data, insiders were responsible for 68 percent of all network attacks targeting healthcare data in 2016. And almost two-thirds of those attacks originated from unwitting parties who may have fallen victim to phishing scams or misconfigured servers.

The report notes that the first six months of 2015 saw 62 percent of the largest healthcare security breaches—those with more than a million records compromised—of any year in the last five. In 2016, the volume of compromised records was not as great, but breaches continued to cause operational, financial, and reputational damage to healthcare industry organizations, and in fact the number of breaches rose. A total of 320 breaches involving unsecured protected health information (PHI) were posted by the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal, an increase of 18.5 percent over 2015. IBM Managed Security Services, which monitors billions of events reported every year by client devices in over 130 countries, analyzed the aggregate data it accumulated in 2016.

According to the Ponemon Institute’s “2016 Cost of Data Breach Study,” a stolen healthcare record cost the average business $355 in 2016. That’s more than twice the mean cost of $158 across all industries. The IBM report states, “It is safe to say that costs to healthcare organizations will continue to rise as one of the fastest-growing threats, ransomware, successfully wreaks havoc in the industry. An IBM survey released in December 2016 found that 70 percent of business executives with experience of ransomware attacks had paid to get data back, with more than half paying over $10,000 and one in five paying more than $40,000. Ransom demands are likely to increase in 2017.” Notably, research team IBM X-Force has found that the average ransomware attachment rate in spam emails, at 0.6 percent in 2015, ballooned to an average of 40 percent of all spam in 2016—an increase of 6,000 percent.

According to IBM, one U.S.-based health facility last year notified customers that their electronic health records (EHRs) and backup copies had all been encrypted by Cryptowall ransomware, and that “seeing no other option” they had paid an undisclosed ransom fee to regain access. And, in one unlucky twist of fate, a U.S. medical billing and EHR service provider paid a ransom and got their customers’ data unlocked, but then lost it due to a faulty backup system. What’s more, Americans aren’t the only ones paying. One survey released in August 2016 reported that among respondents from non-U.S. businesses, 40 percent said they too had paid a ransom to recover encrypted data, according to the report.

But, the report, adds, ransomware and the cost of breaches aren’t the only threats. “Another concern, outlined in our 2016 security trends in the healthcare industry report, is the introduction of risk from the Internet of Things (IoT), mobile health apps and cloud. As the healthcare industry continues to accelerate the transformation of its IT infrastructure, the need for adequate security increases apace. And the pace is dramatic. For example, in just two short years, the number of U.S. hospitals providing patients with the ability to digitally view, download and transmit their health information jumped from just 10 percent in 2013 to 69 percent in 2015.”

On the realness of insider threats, the report notes that he number one attack vector involved the use of malicious data input from bad actors to attempt to control or disrupt the behavior of target systems. With the increasing black-market value of healthcare records packaged into full individual profiles, attackers will increasingly set their sights on the healthcare industry. “Healthy security is now a necessity. More than ever, there is an urgent need for organizations to transform a point product-based set of security solutions into an integrated security immune system,” the report says.

Indeed, according to the analysis of the 2016 data, 47 percent of attacks involves those attacks that use malicious data input to attempt to control or disrupt the behavior of a target system. Command injection, which includes operating system (OS) command and SQL injection, belongs in this category. OS command injection is also known as shell command injection, for which the now infamous and widely prevalent Shellshock vulnerability is named. Shellshock attack activity surged across all industries prior to its two-year anniversary in September 2016 and made up just over one-third of all attacks targeting healthcare in 2016.

The number two attack vector, accounting for 19 percent of attacks, was attempting to gain unauthorized access through the manipulation of system data structures. Attacks attempting to manipulate some aspect of a resource's state or availability accounted for nine percent of all attacks. And, the fourth most prevalent mechanism of attack, at six percent, involved an attacker “using probabilistic techniques to explore and overcome security properties of the target.”

The report concludes, “First and foremost, cybersecurity has to be a business priority. If so, there will be adequate budgetary allocations, a dedicated information security person to run the show, and an incident response plan, or IRP [incident response plan], to help you comply with HIPAA and other regulations. You may also be reviewing medical devices for security issues and applying essential data protection methods. Those are the basics. What else can your healthcare organization do to fortify its cybersecurity immune system?”

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Study: EHRs Tied with Lower Hospital Mortality, But Only After Systems Have Matured

Over the past decade, there has been significant national investment in electronic health record (EHR) systems at U.S. hospitals, which was expected to result in improved quality and efficiency of care. However, evidence linking EHR adoption to better care is mixed, according to medical researchers.

Nursing Notes Can Help Predict ICU Survival, Study Finds

Researchers at the University of Waterloo in Ontario have found that sentiments in healthcare providers’ nursing notes can be good indicators of whether intensive care unit (ICU) patients will survive.

Health Catalyst Completes Acquisition of HIE Technology Company Medicity

Salt Lake City-based Health Catalyst, a data analytics company, has completed its acquisition of Medicity, a developer of health information exchange (HIE) technology, and the deal adds data exchange capabilities to Health Catalyst’s data, analytics and decision support solutions.

Advocate Aurora Health, Foxconn Plan Employee Wellness, “Smart City,” and Precision Medicine Collaboration

Wisconsin-based Advocate Aurora Health is partnering with Foxconn Health Technology Business Group, a Taiwanese company, to develop new technology-driven healthcare services and tools.

Healthcare Data Breach Costs Remain Highest at $408 Per Record

The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.

Morris Leaves ONC to Lead VA Office of Electronic Health Record Modernization

Genevieve Morris, who has been detailed to the U.S. Department of Veterans Affairs (VA) from her position as the principal deputy national coordinator for the Department of Health and Human Services, will move over full time to lead the newly establishment VA Office of Electronic Health Record Modernization.