The number of reported breach incidents in healthcare grew by 22 percent in 2016 from 269 breach incidents in 2015 to 328 last year, according to Symantec’s 2017 Internet Security Threat Report (ISTR).
Further, Symantec’s analysis found that the number of total breached records decreased significantly from 113.3 million (2015) to 16.7 million (2016). “The major difference is that in 2015 we saw six large breaches (over 1 million records), as compared to only three in 2016,” the report authors stated.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, established mandatory breach reporting for so-called HIPAA Covered Entities (CEs), which includes healthcare providers, health plans, as well as their business associates. Breaches over 500 records need to be reported within 60 days of discovery and are published by Health and Human Services (HHS) on the so-called “Wall of Shame”. This provides a wealth of information about the nature of health data breaches as well as trends.
The Symantec ISTR provides an analysis of the past year in global threat activity, including emerging trends in attacks, malicious code activity, phishing, and spam.
Overall, the report found that cyber attackers revealed new levels of ambition in 2016, “a year marked by extraordinary attacks, including multi-million dollar virtual bank heists, overt attempts to disrupt the US electoral process by state-sponsored groups, and some of the biggest distributed denial of service (DDoS) attacks on record powered by a botnet of Internet of Things (IoT) devices.”
And the report authors noted that while cyber attacks managed to cause unprecedented levels of disruption, attackers frequently used “very simple tools and tactics to make a big impact.” Zero-day vulnerabilities and sophisticated malware now tend to be used sparingly and attackers are increasingly attempting to hide in plain sight, the authors stated. “They rely on straightforward approaches, such as spear-phishing emails and “living off the land” by using whatever tools are on hand, such as legitimate network administration software and operating system features,” the authors wrote.
Further, the authors said that Mirai, the botnet behind a wave of major DDoS attacks, was primarily composed of infected routers and security cameras, low-powered and poorly secured devices. “In the wrong hands, even relatively benign devices and software can be used to devastating effect,” the authors wrote.
The Symantec report also found, based on data provided by cyber insurance data analytics services companies, that healthcare contributed to the second highest number of security incidents in the services sector in 2016. The services sector had 452 security incidents in 2016, or 44 percent of all incidents last year. Of those 452 incidents, 115 of those incidents were attributed to the healthcare sub-sector, of 11 percent of all incidents, according to the Symantec report.
The Symantec report outlines a number of security trends with healthcare, such as indications of more planned and targeted attacks. Further, according to the report, email-delivered ransomware significantly increased in 2016, leading to the loss of data, shutdown of services, or payment of ransom to restore services.
Specifically, looking at email as an attack vector for distribution of spam and malware as well as the execution of phishing attacks, the report authors found that Health Services is in line (spam) or even lower (phishing, malware) than the cross-industry averages. “However, this does not mean that healthcare had a better year than other industries. In fact, healthcare organizations were also victims of the increase in email-borne ransomware. Once the underground criminals understood that there was easy money to be made in healthcare, the industry experienced a dramatic increase of attacks over the previous year, leading to loss of data, shutdown of services, or payment of ransom to restore services,” the report authors wrote.
Further, the authors note that healthcare tends to have a lower security posture and with patient health at stake, pressure to restore data and services is high. “This is understood by hackers and has resulted in a number of high-profile ransom incidents in the US and abroad. Guidance on how to prevent and deal with a ransomware attack has been provided, including specific advice for the healthcare industry,” the report authors wrote.