According to a new healthcare data security report from IBM Managed Security Services (MSS) data, insiders were responsible for 68 percent of all network attacks targeting healthcare data in 2016. And almost two-thirds of those attacks originated from unwitting parties who may have fallen victim to phishing scams or misconfigured servers.
The report notes that the first six months of 2015 saw 62 percent of the largest healthcare security breaches—those with more than a million records compromised—of any year in the last five. In 2016, the volume of compromised records was not as great, but breaches continued to cause operational, financial, and reputational damage to healthcare industry organizations, and in fact the number of breaches rose. A total of 320 breaches involving unsecured protected health information (PHI) were posted by the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal, an increase of 18.5 percent over 2015. IBM Managed Security Services, which monitors billions of events reported every year by client devices in over 130 countries, analyzed the aggregate data it accumulated in 2016.
According to the Ponemon Institute’s “2016 Cost of Data Breach Study,” a stolen healthcare record cost the average business $355 in 2016. That’s more than twice the mean cost of $158 across all industries. The IBM report states, “It is safe to say that costs to healthcare organizations will continue to rise as one of the fastest-growing threats, ransomware, successfully wreaks havoc in the industry. An IBM survey released in December 2016 found that 70 percent of business executives with experience of ransomware attacks had paid to get data back, with more than half paying over $10,000 and one in five paying more than $40,000. Ransom demands are likely to increase in 2017.” Notably, research team IBM X-Force has found that the average ransomware attachment rate in spam emails, at 0.6 percent in 2015, ballooned to an average of 40 percent of all spam in 2016—an increase of 6,000 percent.
According to IBM, one U.S.-based health facility last year notified customers that their electronic health records (EHRs) and backup copies had all been encrypted by Cryptowall ransomware, and that “seeing no other option” they had paid an undisclosed ransom fee to regain access. And, in one unlucky twist of fate, a U.S. medical billing and EHR service provider paid a ransom and got their customers’ data unlocked, but then lost it due to a faulty backup system. What’s more, Americans aren’t the only ones paying. One survey released in August 2016 reported that among respondents from non-U.S. businesses, 40 percent said they too had paid a ransom to recover encrypted data, according to the report.
But, the report, adds, ransomware and the cost of breaches aren’t the only threats. “Another concern, outlined in our 2016 security trends in the healthcare industry report, is the introduction of risk from the Internet of Things (IoT), mobile health apps and cloud. As the healthcare industry continues to accelerate the transformation of its IT infrastructure, the need for adequate security increases apace. And the pace is dramatic. For example, in just two short years, the number of U.S. hospitals providing patients with the ability to digitally view, download and transmit their health information jumped from just 10 percent in 2013 to 69 percent in 2015.”
On the realness of insider threats, the report notes that he number one attack vector involved the use of malicious data input from bad actors to attempt to control or disrupt the behavior of target systems. With the increasing black-market value of healthcare records packaged into full individual profiles, attackers will increasingly set their sights on the healthcare industry. “Healthy security is now a necessity. More than ever, there is an urgent need for organizations to transform a point product-based set of security solutions into an integrated security immune system,” the report says.
Indeed, according to the analysis of the 2016 data, 47 percent of attacks involves those attacks that use malicious data input to attempt to control or disrupt the behavior of a target system. Command injection, which includes operating system (OS) command and SQL injection, belongs in this category. OS command injection is also known as shell command injection, for which the now infamous and widely prevalent Shellshock vulnerability is named. Shellshock attack activity surged across all industries prior to its two-year anniversary in September 2016 and made up just over one-third of all attacks targeting healthcare in 2016.
The number two attack vector, accounting for 19 percent of attacks, was attempting to gain unauthorized access through the manipulation of system data structures. Attacks attempting to manipulate some aspect of a resource's state or availability accounted for nine percent of all attacks. And, the fourth most prevalent mechanism of attack, at six percent, involved an attacker “using probabilistic techniques to explore and overcome security properties of the target.”
The report concludes, “First and foremost, cybersecurity has to be a business priority. If so, there will be adequate budgetary allocations, a dedicated information security person to run the show, and an incident response plan, or IRP [incident response plan], to help you comply with HIPAA and other regulations. You may also be reviewing medical devices for security issues and applying essential data protection methods. Those are the basics. What else can your healthcare organization do to fortify its cybersecurity immune system?”