Report: Cyber Attacks on the Rise and Evolving, as Ransomware Declines | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Cyber Attacks on the Rise and Evolving, as Ransomware Declines

June 14, 2018
by Heather Landi
| Reprints

Cyberthreats are continuing to increase and shift, and even though ransomware attacks are significantly declining, cyberattacks are on the rise, according to a new report from the global association ISACA.

Previously known as the Information Systems Audit and Control Association, ISACA, which now goes by its acronym only, is an independent, global, nonprofit association that engages in the development, adoption and use of globally accepted practices for information systems.

ISACA’s “State of Cybersecurity 2018: Part 2, Threat Landscape and Defense Techniques” report provides findings from a survey of 2,366 cybersecurity professionals and individuals in information security positions. Of the survey respondents, six percent work in healthcare/medical. Twenty-six percent of respondents work in technology services/consulting and 23 percent work in financial/banking, and the remaining work in various other fields.

According to the research, 50 percent of respondents have seen an increase in cyberattacks relative to last year, while also experiencing a 17-point drop in ransomware attacks from year to year. Forty-five percent of respondents experienced a ransomware attack this year, compared to 62 percent in 2016.

Motivation for cyber attacks remains monetary, according to half of respondents, yet the decrease in ransomware attacks seems to contradict the finding that attackers’ primary motivation is financial. One possible explanation, according to the survey results, is that potential victims have increased their preparedness. Ransomware countermeasures are nearing ubiquity and enterprises are defending against it more effectively, the survey found.

Enterprises have shifted strongly in favor of better preparation for ransomware relative to last year: 86 percent indicate that their enterprises have a strategy in place to prevent or reduce the odds of the occurrence for ransomware and 78 percent of organizations have a formal process to deal with ransomware this year, compared to only 53 percent last year. Also, anti-ransomware strategies, such as employee awareness training, are also widely deployed, while 94 percent of enterprises train or advise employees about phishing and/or malware, including ransomware.

What’s more, in this year’s survey, almost all respondents (92 percent) indicate that they do not believe that their enterprises will pay the ransom. Most respondents (96 percent) say that their enterprises do not maintain a supply of cryptocurrency for ransomware payments.

The drop-off in ransomware implies that attackers are shifting to alternate strategies with a better return on attacker investment, the report states. Declining ransomware attacks imply that ransomware is not the most effective strategy, and, assuming a constant or increasing number of attacks, it stands to reason that other methods are likely to rise in prevalence, including cryptocurrency mining malware. Cryptocurrency mining malware is similar in purpose to ransomware (i.e., as a mechanism to generate financial return by compromising a victim’s machine). However, instead of attempting to extort a ransom from a victim, cryptocurrency mining malware contributes CPU cycles to a cryptocurrency ecosystem (i.e., mining).

The report notes that cryptocurrency mining malware may rise in prevalence relative to ransomware attacks in the short-to-intermediate term. “Because cryptocurrency mining malware can operate and generate value for an attacker without access to a victim’s host filesystem, the method of detection employed by the enterprise may require adjustments,” the report states.

The report authors also suggest that enterprises should consider investigating the degree to which existing controls (e.g., antimalware tools and products) operate in a fileless malware context. “As ransomware is potentially displaced by other strategies that do not require filesystem access, new controls may need to be deployed or adjustments may need to be made to the operation of existing controls (e.g., enabling behavioral anomaly detection or heuristic-based antimalware scanning).”

Eighty percent of respondents indicate that it is either likely or very likely that their enterprises will experience a cyber attack in 2018. Despite the increase in overall numbers of attacks, however, techniques employed by attackers remain relatively constant. The most common attack vectors are phishing (44 percent), malware (38 percent) and social engineering (28 percent).

The most common types of threat actors identified were cybercriminals (33 percent), hackers (23 percent), non-malicious insiders (14 percent), malicious insiders (11 percent), nation states (10 percent) and hacktivists (six percent).

Looking at different defense strategies, the survey findings indicate that threat intelligence is prevalent, and active defense is less familiar but effective. Most enterprises employ some threat intelligence capability, often staffed in-house. Active defense strategies, although not understood universally among practitioners or employed in enterprises, demonstrate a high level of success when implemented

However, 40 percent of respondents are not very familiar with active defense strategies and 53 percent of respondents use active defense strategies.  Of those who employed active defense strategies, 87 percent indicate that they were successful.

The survey also found that the biggest barriers to implementing active defense measures are skill and/or resource limitations (43 percent), budget (37 percent), legal implications (34 percent) and technical implications (30 percent).

According to the report, the survey results “affirm that attacks are becoming more prevalent, attackers are adapting and evolving the methods they employ, and enterprises are shifting their defense strategies in response.” And, the report suggests organizations should consider deploying active defense strategies. “Although some notable barriers exist, the number of respondents reporting success with active defense suggests that it may be worth investing in—and laying the groundwork for—this approach.”


2018 Seattle Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

October 22 - 23, 2018 | Seattle


Who Can Healthcare Trust When Ransomware Hits?

Please register to download

WannaCry and Petya caused business impact for several organizations and in both cases the damage was largely mitigated across the industry. This information is widely known.

What is not widely known is what the role of information sharing was between private industry and the public sector specifically between the NH-ISAC Threat Intelligence Committee members (TIC) and the HHS Healthcare Cybersecurity Communications and Integration Center (HCCIC).

More From Healthcare Informatics


Report: More than 3M Patient Records Breached in Second Quarter of 2018

August 8, 2018
by Heather Landi
| Reprints
Click To View Gallery

More than 3.14 million patient records were breached in 142 disclosed health data breach incidents during a three-month span from April to June 2018, according to new data released in the Protenus Breach Barometer.

Published by Protenus, a cybersecurity software company that issues a Breach Barometer report each month, the latest data showed that in the second quarter of 2018 the number of affected patient records almost tripled from those reported in the first quarter of this year (1.13 million patient records).

Protenus and compiled the report using health data breaches reported to the U.S. Department of Health and Human Services (HHS) or to the media. The data found that there were several large data breach incidents during the second quarter, including a theft incident in April involving a Sacramento-based office of the Department of Developmental Services, affecting 582,000 patient records, and a hacking incident at a healthcare provider in May that impacted 566,000 patient records.

For incidents disclosed to the HHS or the media, insiders were responsible for 30.9 percent of the total number of breaches in Q2 2018 (44 incidents). Details were disclosed for 27 of those incidents, affecting 421,180 patient records (13.4 percent of total breached patient records).

The report notes an interesting trend with regard to insider breach incidents. In Q2 2018, 29.7 percent of privacy violations were repeat offenders. “This evidence indicates health systems accumulate risk that compounds over time if proper reporting and education do not occur. On average, if an individual healthcare employee breaches patient privacy once, there is a greater than 30 percent chance that they will do so again in three months’ time, and a greater than 66 percent chance they will do so again in a years’ time,” the report states.

The report authors note, “In other words, even minor privacy violations that are not promptly detected and mitigated, have the potential to compound risk over time.”

The Breach Barometer report data also shows that each hospital investigator is responsible for monitoring the electronic access of an average of 4,000 active EHR users in Q2 2018, underscoring that manual audit processes, like ad-hoc or random audits, are insufficient to monitor such a large population, each of whom accesses multiple medical records per day.

Nine out of 1,000 employees breach patient privacy, and family member snooping is the most common insider-threat violation (71.4 percent of violations), the Protenus data found.

Protenus data estimated that on average, 9.21 healthcare employees breach patient privacy per every 1,000 employees. This increase, from what was reported in Q1 2018, is due to healthcare privacy teams better leveraging advanced analytics, and proactively detecting more incidents, according to the report.

There were 25 publicly disclosed incidents that involved insider-error between April and June 2018. Details were disclosed for 14 of these incidents, affecting 343,036 patient records. In contrast, 18 incidents involved insider-wrongdoing, with data disclosed for 13 of these incidents. There was a substantial increase of breached patient records as a result of insider-wrongdoing.  In Q1 2018, there were only 4,597 affected patient records, while in Q2 2018, there were 70,562 affected patient records.

Looking at external threats, hacking continues to threaten healthcare organizations in 2018, with an increase in incidents in the second quarter. Between January and March, there were 30 hacking incidents, however, between April and June 2018 there have been a total of 52 incidents (36.6 percent of all Q2 2018 publicly disclosed incidents). Details were disclosed for 44 of those incidents, which affected 2 million patient records.

Of the 143 disclosed health data breaches that occurred between April and June 2018, 99 of them (76 percent of total incidents) were disclosed by a healthcare provider, 15 were disclosed by a health plan, 18 were disclosed by a business associate or third-party vendor, and ten were disclosed by businesses or other organizations.

Even though most healthcare organizations have already switched over to digitized patient records, 23 breach incidents still involved paper records.

The Protenus data also reported that, of the 142 health data breaches for which data was disclosed, it took an average of 204 days from when the breach occurred to when it was discovered. The median discovery time was 18 days. There was a wide variety in the data, with the shortest discovery time of one day and the longest of 1,587 days (4.35 years).

In conclusion, the Protenus report notes that the average cost per breached record has increased 6.4 percent ($408 per record) over last year. “Healthcare organizations must remain vigilant, looking for best practices in healthcare privacy that will allow them to audit every access to their patient data. Full visibility into how their data is being accessed and used will help organizations secure patient trust while preventing data breaches from having costly consequences for their organization,” the report states.


Related Insights For: Cybersecurity


KLAS’s Recent Report on Cybersecurity Services Firms: What Are the Implications for HIT Leaders?

August 4, 2018
by Mark Hagland
| Reprints
KLAS Research’s Dan Czech shares his perspectives on the forward evolution of cybersecurity services firms

On June 19, the Orem, Utah-based KLAS Research released its report on cybersecurity services firms. The report, authored by Garrett Hall and Dan Czech, was the first of its kind, surveying the levels of satisfaction experienced by patient care organization leaders with external cybersecurity services companies. As KLAS noted in the release of the report on its website, “Since the beginning of 2018, healthcare security breaches have become an almost daily occurrence. While many healthcare organizations have implemented technologies to help combat both internal and external security threats, some are taking additional measures by leveraging the cybersecurity services and expertise of third-party firms. To highlight which firms can best help their clients be successful, KLAS interviewed 129 healthcare organizations about their engagements with cybersecurity firms to find out which services these firms offer and the types of outcomes they were able to achieve. Additionally, respondents were asked about their firm’s healthcare knowledge, ability to cater to customer needs, and strategic expertise.”

Hall and Czech looked at three core types of cybersecurity services: advisory services, technical services, and managed services. According to their categorization, advisory services “[i]ncludes security-program development/assessment, risk assessment, HIPAA compliance, and less frequently used services such as interim CISO services, payment card industry (PCI) testing, and security operations center (SOC) reporting.” With regard to technical services, they note that “Organizations looking for a cybersecurity services firm will need to determine which firms offer the services their organization needs. To that end, KLAS has categorized the cybersecurity firms in this report based on the breadth of their offerings.” That, they said, “Includes penetration testing, design and implementation of security technologies, social engineering/phishing testing, and web application security testing.”

When it comes to managed services, they included “outsourced management of some or all security tools to a third-party firm. Outsourced security tools include those for data loss prevention (DLP), identity and access management (IAM), medical device management (MDM), security information and event management (SIEM), etc.”

The report’s authors also divided the types of firms surveyed into three categories in terms of their size and scope. “Comprehensive firms offer the widest breadth of cybersecurity services. Clients validate that these firms perform work in all three cybersecurity service areas: advisory, technical, and managed services.” Meanwhile, “Broad firms have been validated for work in two of the main cybersecurity service areas.” And “Advisory-focused firms have the narrowest focus, having been validated by clients for performing work only in cybersecurity advisory services.”

Among the results: “CynergisTek has the greatest breadth of security services and most validated engagements for advisory and technical services”; “Advisory-focused firms Clearwater Compliance and tw-Security have some of the most consistently satisfied clients, many of whom praise their firm’s cybersecurity and healthcare industry knowledge”; and “BluePrint Healthcare IT and Meditology Services clients laud their firm’s strategic guidance and tailored services.”

Recently, report co-author Dan Czech, a KLAS analyst who has been with the organization for over 13 years, spoke with Healthcare Informatics Editor-in-Chief Mark Hagland regarding the report’s findings and some of the implications of those findings for the forward evolution of cybersecurity services in the healthcare industry in the next few years. Below are excerpts from that interview.

KLAS analysts will participate in the Health IT Summit in Seattle, to be held October 22-23 at the Grand Hyatt Seattle, to engage in discussions around cybersecurity issues in U.S. healthcare. More details will be made available on the event website in the coming weeks.

What was your overall objective in looking at cybersecurity services?

As with most KLAS reports, we wanted to provide some transparency over which vendors, or in this case, which firms, were providing the highest-level quality to healthcare organizations. In the 2017 broad look at cybersecurity, we asked our audience what some of the technologies and services were most important for them? And interestingly, they said cybersecurity services and managed services. So we asked, who’s leading the industry? And who are some of the up-and-comers who aren’t yet on everybody’s radar screens?

Dan Czech

In addition to validating what they were doing and who was performing well, a couple of the things we looked at specifically was the question, which firms demonstrated that they had healthcare knowledge? And so we asked the extent to which healthcare industry-specific knowledge was helpful, versus understanding cybersecurity in financial services or education. And what about servicing different needs, such as a small critical-access hospital versus a large IDN. So we asked, who tailors their services to best meet your needs? And then we asked what their biggest successes or outcomes were.

Were you surprised by anything that you uncovered?

That’s an interesting question. Yes, I was surprised by a couple of things. We didn’t find the direct correlation we had somewhat expected to find, between being healthcare industry-specific, and having greater healthcare knowledge. There were some healthcare-specific firms, including Leidos and Impact, that didn’t demonstrate what people considered a high level of healthcare knowledge; in contrast, a few firms, including PWC, cross-industry firms, did demonstrate deep healthcare industry knowledge. Also, the size and breadth of a firm wasn’t always a key deciding factor for patient care organizations. Some organizations may not need a Deloitte or CynergisTek or Optiv—sometimes they just want training for their folks and risk assessment, and that might be some of the extent of what they want. And there is a high level of satisfaction when that happens. Most of the firms focused around advisory work—all were above 93 on a scale of 100.

Can you comment a bit on your categorization of firms into “comprehensive,” “broad,” and “advisory services-focused”?

We tried to provide a little clarity and transparency for the provider community, to give them an idea—if they’re looking for a one-stop-shop firm that can do advisory work for them and also have a penetration team that can do work onsite, and also will managed services for some of your software, that was how we defined a comprehensive firm. It doesn’t necessarily mean in all cases that provider organizations use them across all three dimensions.

Meanwhile, broad firms will do two of those three areas, or at least we haven’t validated all three. Often, they’ll do risk assessment and advisory type work, and advisory services. So for example, an organization might contract with a firm to do a pen (penetration test), so they’re doing a test with NIST or HITRUST, and they’re presenting to the organization the results of the risk assessment and the result of the pen test, and here’s an advisory report, with tiers of actions you can take.

And then some firms just focus on advisory work, such as security program assessment and development, risk assessments and HIPAA compliance work, and other advisory type work, in some cases, that’s interim or virtual CISO services that firms might offer.

How much does healthcare industry-specific knowledge matter, in your view?

That’s a great question. I think it matters quite a bit, and here’s why: patient care organizations have accepted the fact that the healthcare industry is behind other industries on the security side. In some cases, they will want to leverage cross-industry vendors. But we have challenges some other industries don’t have, such as HIPAA compliance; and also somewhat-opposing needs, to tighten down security, but you’ve also got end-user physicians and clinicians who want to be able to share data readily. And we’re super-sensitive to physician burnout, and we don’t want security burden to increase physician burnout. So firms that are able to leverage what they know about the healthcare industry and some of its unique characteristics, and marry that up with good cybersecurity practices, and can take the right message to the c-suite and board, that is sometimes a real differentiator for firms.

What challenges and pitfalls, face patient care organization leaders, as they scope out potential services providers?

The size of the firms, the amount of work they do across multiple industries, those don’t necessary correlate to a high level of customer experience. Some of the smaller and most targeted firms achieve very high satisfaction. That’s why we asked the question about tailoring services to meet your needs—as a healthcare organization, you want to be very specific about your expected outcomes, what you expect a firm to do and not do, and then hold them accountable around your expectations. That’s where a few firms have had hiccups, where they’re not sure of their expectations upfront and don’t end up holding their services firms fully accountable.

A couple of other things: you need to have a clear strategy around what you’re going to do with the results around advisory work and risk assessments in particular. We’ve seen a couple of different strategies organizations have: they’ll contract year after year with the same services firm. Others will contract yearly but with different firms every year, to get fresh or unique eyes on the situation. Others will contract every few years and will alternate contracted years with doing their own risk assessments and penetration tests. Others feel they can do it all internally.

So you need to know what kind of strategy you’re going to build around. Do you want to build a years-long relationship? Or just have a good single experience? The other piece of guidance I’d give is around expectations of the end product of an advisory engagement, especially a risk assessment. Oftentimes, security firms produce a relatively canned report that they’ll produce that lists out the findings of their risk assessment; in many cases, it will prioritize action items that can be taken. And if you’re in a position where you don’t have the type of board engagement you’d like, there are some firms that are very good at taking the results they’ve come up with, and partnering with the internal healthcare IT security leader, and pairing up with them and presenting to the board to advocate for actions. Boards are often very conservative in terms of spending, but the last thing they want is an OCR investigation or a public outing of a breach in the newspapers, etc.

How do you see this broad area of cybersecurity services evolving over the next few years?

Good question. I think one area that we’re going to see evolving is, I think the industry is starting to coalesce around a few frameworks as far as their annual risk assessment, the predominant one being the NIST framework. A few firms position themselves as HITRUST-qualified assessors. I think the industry will start to coalesce around those two, and some of the other security frameworks, your ISO, etc., might disappear over time. I think the industry will coalesce around the NIST and HITRUST frameworks. My feeling is that we’re going to see more and more managed services engagements going forward. They’re going to engage a managed services firm for a variety of reasons—to outsource their SOC; to manage a certain piece of software, their SIM system, for example. So smaller organizations that may not have the security staff at their organization and can’t afford the resources they need, I think more and more will outsource their needs.

Do you see consolidation among these services providers?

We haven’t seen a lot over the past 12-18 months; there have been a few acquisitions. We’ve seen some on the security software side. For example, CynergisTek was acquired by another, firm but maintained its name. Where I see the potential acquisitions happening is, you may see some of the big firms like a PWC, Deloitte, EY, etc., acquiring some healthcare industry-specific firms.



See more on Cybersecurity ...