For the first time, 2016 saw the American Medical Association (AMA) placing health data security within their top nine issues affecting physicians (1). This move to the top of the pack of issues, likely being due to the healthcare sector continuously being identified as a top target for cybercriminals. To add weight to the AMA’s advice, the IBM X-Force 2016 Cyber Security Intelligence Index placed healthcare as the #1 most attacked industry in 2015 coining it “the year of the healthcare breach” (2).
The cost of being placed as the most targeted sector for cyber security incidents has been identified by the Ponemon Institute (3) with estimates of healthcare data breaches across the industry costing around $6.2 billion. The same study also identified the average cost of a data breach as being $2.2 million (4). Further studies by the Ponemon Institute, including one on privacy and security of healthcare data, found that almost 90% of healthcare organizations had suffered a data breach in the last two years, and around 45% have had five or more breaches.
Healthcare is investing heavily in big data and as a result, information collected from patients, employees, and medical processes and procedures is highly distributed. This has increased the effective surface area of attack available to cybercriminals. The availability of this information to those who wish to compromise it has been worsened by the success of phishing and in particular spear phishing.
In this article, we will look at the keys areas of concern in healthcare — where are the biggest breaches occurring and why.
Top Ten Biggest Healthcare Breaches
Healthcare has seen some of the largest breaches over the last few years. The breaches tend to be focused on the theft of Personal Health Information (PHI). PHI data is valuable. It is also easily sold using the Dark Web, often then used to commit secondary attacks. This was likely the case with the IRS breach of 2015 which relied on personal data to carry out fraudulent tax claims. I have listed below, some of the largest and most impactful attacks on U.S. based healthcare organizations in 2015/2016. All were hacking incidents. Many of these breaches originate in phishing or spear phishing attacks. It is thought that the Anthem and Primera attacks were carried out by a Chinese group known as Deep Panda (5). The group created a spoof site which was used as the basis for phishing attacks against employees — the site collecting login credentials when an unsuspecting employee clicked on a phishing link in an email.
In 2015 98% of breached healthcare data came from a large-scale hacking incidents (6).
|Company||Numbers (7)||Data stolen|
|Anthem Blue Cross||78.8 million||Personal data, including social security numbers|
|Primera||11 million||Bank account data, personal data, clinical records|
|Excellus Health Plan, Inc.||10 million||Some credit card details, financial transactions, personal data|
|University of California, Los Angeles Health||4.5 million||Medical records, personal data|
|Medical Informatics Engineering||3.9 million||Full range of PHI|
|Banner Health||3.62 million||Financial data, personal data, clinical information|
|Newkirk Products, Inc.||3.5 million||Personal data|
|21st Century Oncology||2.2 million||Financial data, personal data, medical records|
|CareFirst BlueCross BlueShield||1.1 milion||Some personal data|
|Valley Anesthesiology Consultants, Inc.||882,590||Financial data, personal data, medical records|
The Security and Price of PHI
All of the biggest breaches in healthcare took data of some sort or another. This is because Personal Health Information (PHI) is a valuable commodity. In a search of the Dark Web, the CEO of RedJak found that the price of a pack of 10 stolen Medicare ID’s was $4700 (7). In the latest Ponemon Institute survey (3), they found that the cost of a breach of healthcare based data was $355, significantly higher than the mean across other industries which was $158 (8). In 2015, over 113 million individuals were a victim of a PHI breach, this is in contrast to the years between 2011-2014 where less than 4 million individuals had PHI exposed by a breach (9).
In another Ponemon Institute report on Privacy & Security of Healthcare Data (10) they identified that the most successful targeted attacks were against medical files, and billing and insurance records — with 64% of respondents suffering successful attacks against medical files, and 45% against insurance records (3). Much of the stolen data is used as a means to commit fraud through identity theft. The Ponemon report also found that the best way to combat this is through employee training with around 63% of respondents admitting that record exposure was due to unintentional and non-malicious actions of employees.
Phishing in Healthcare
Looking at the mass scale attacks over 2015/2016 we need to ask where the vector of attack occurs. PHI may have been the focus of the attack, but the initiation of the attack is often from a phishing or spear phishing attempt. Phishing is a highly successful method of cyber attack, used to trick users into installing malware and / or to steal login credentials by tricking them into entering those credentials into a spoof website or portal. In 2016, seven of the top ten largest breaches were due to hacking (11) as opposed to other methods such as theft or accidental exposure — database hacks, like the Anthem one, are likely to have begun with a phishing email. A report by the Anti Phishing Working Group (APWG) has found that Q1 of 2016 saw more phishing attacks than any other period previously. The researchers found 289,371 unique phishing sites during that quarter; a 250% increase from October 2015 (12). It isn’t just PHI that is under great by phishing. One of the recent purpose of phishing within healthcare is in its use as a delivery mechanism for ransomware.
According to research by HIMSS Analytics Quick HIT Survey, at least 50% and up to 75% of U.S. hospitals have been hit by a ransomware attack in the last year (13). The same survey found that over 30% had been attacked between 1-3 time and 13% had been attacked over 10 times. And the situation doesn’t seem likely to improve. Ransomware variants keep on coming. In Symantec’s Internet Security Threat Report for 2016, they found that between 2005-2014 there was a total of 16 ransomware family types, whereas, in 2015 alone there was a total of 27, and in just Q1 of 2016 a staggering 15 new families of ransomware were discovered (14). In 2017 it is expected that ransomware families will increase by another 25% (15). Symantec’s report also found that spear phishing campaigns against employees, an effective way to deliver ransomware, have increased by 55%.
It is no wonder then, that according to a report by Ponemon (16), ransomware and phishing are amongst the top cyber security concerns across the healthcare industry. This is backed up by findings from the Internet Security Threat report (11) which shows that over 54% of healthcare emails are spam. The same report citing that 1 in every 2711 emails recovered in a healthcare organization is a phishing email(17).
Insider Threats in Healthcare
Insider threats are those committed by someone with internal access to resources. This could be an employee, a contractor, a freelancer or third party business associate. Threats can be both malicious and accidental. With statistics showing that 52% of employees (18) view the sharing of work logins as ‘not affecting security,’ you can see how insider threats are becoming a problem.
In the previously mentioned Ponemon study into privacy and security of healthcare data, 13% of organizations had breaches caused by a malicious insider (4). In a further study, over 90% of IT decision makers felt at threat from insider threats (18). This makes insider threats one of the biggest areas of concern within healthcare and one which is often the most difficult to tackle.
Medical Devices, IoT and Security
New security issues are evolving with the healthcare industry as it embraces the Internet of Things (IoT). According to Intel, healthcare is the second largest user of IoT devices with over 30% of worldwide usage being attributed to the healthcare industry (19). According to McKinsey & Company, the IoT will be worth $11.1 trillion by 2025 (20) so that is a lot of IoT device use within healthcare.
This makes sense as healthcare is perfectly positioned to utilize the intelligence garnered by the data generated through the IoT. As the normal working practice, healthcare creates data, needing to analyze and use the results of these data. Having fast and accurate access to medical information can be life-saving. The IoT is being used across the board in healthcare, from electronic pill dispensers to asthma monitors to wearables such as heart monitors, and smart watches to clinic video cameras. Each device is collecting personal health data and sending it back to a Cloud server. Privacy, as well as security, is at risk through IoT devices. For example, in a look at over 271 Android based diabetes apps, it was found that 81% of them didn’t have privacy policies, with almost half of them sharing user data freely (21). In an interesting report by PWC, they found that as far as medical devices and apps are concerned, 62% of consumers regarded device security more important than ease of use (22).
It is during the transmission and storage of these personal data that PHI is most at risk. Without the correct implementation of secure transfer, encryption, and authentication, health data is vulnerable to a cyber attack. In a survey by SpiceWorks (23) they found that 90% of IT professionals saw IoT as posing threats to security and privacy of data. Of the devices most likely to be hacked, wearable devices came out top, with video cameras second — both used as part of the IoT of healthcare.
Healthcare and DDoS
But it isn’t all about data breaches, Distributed Denial of Service (DDoS) attacks are a real concern for any organization as they remove the ability for a user or customer to access a vital Cloud resource. DDoS which was previously thought of as an attack vector against ecommerce sites is now targeting healthcare. In the case of healthcare if a DDoS attacks shuts down access to patient Electronic Health Records (EHR) systems this could be life threatening. In a report by VeriSign, they found that DDoS attacks have risen by 111% in the last year (24). These are sustained and often repeated attacks. As EHR systems become Cloud-based, these types of attacks are becoming more likely, and the widespread use of healthcare IoT devices will make DDoS attacks even more difficult to prevent.
Although we are increasingly seeing DDoS attacks, according to HIMSS, only 42% of healthcare organizations have any sort of DDoS protection in place (25). In a survey by Ponemon, DDoS threats against hospitals were the number one concern of the industry with 48% of respondents being worried about this threat (11)
Biggest Concerns in Healthcare
With all of the above concerns, healthcare is at a cross-roads in terms of dealing with its heightened profile in the cybercriminal world. Healthcare, more than any other sector, has an alignment of data planets that make it attractive to hackers. The data it creates is vast and complex. Coupled with this, these data are highly personal, and as such, valuable; not just for resale on the Dark Web but as tools to commit identity fraud. In addition to the attractive and widespread nature of healthcare data, the industry is vulnerable from attacks coming in from phishing, including ransomware, other malware, and credential theft. Healthcare needs to face cybercrime threats head on to ensure that the sector gives itself the best possible chance of handling the likely increased attacks coming in 2017.
From The Ponemon Institute, Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data – Biggest Healthcare Security Concerns:
|Denial of service (DOS / DDoS)||48%|
|Advanced Persistent Threats (APT)||16%|
(1) American Medical Association, Top 9 issues that will affect physicians in 2016: http://www.ama-assn.org/ama/ama-wire/post/top-9-issues-will-affect-physicians-2016
(2) IBM X-Force 2016 Cyber Security Intelligence Index 2016: http://www-03.ibm.com/security/data-breach/cyber-security-index.html
(3) Ponemon Institute and IBM, 2016 Cost of Data Breach Study: Global Analysis: https://securityintelligence.com/cost-of-a-data-breach-2016/
(4) Ponemon Institute and ID Experts, Benchmark Study on Privacy & Security of Healthcare Data 2016: https://www2.idexpertscorp.com/sixth-annual-ponemon-benchmark-study-on-privacy-security-of-healthcare-data-incidents?utm_source=Referral&utm_medium=press%20release&utm_campaign=Ponemon%202016
(5) Krebs on Security, Premera Blue Cross Breach Exposes Financial, Medical Records:
(6) Bitglass,Healthcare Breach Report 2016: https://pages.bitglass.com/Healthcare-Breach-Report-2016.html
(7) U.S. Department of Health and Human Services
Office for Civil Rights, Breach Portal: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
(8) Medicare IDs – pack of 10: $4700: http://www.npr.org/sections/alltechconsidered/2015/02/13/385901377/the-black-market-for-stolen-health-care-data
(9) The Office of the National Coordinator for Health Information Technology: http://dashboard.healthit.gov/evaluations/data-briefs/trends-individual-perceptions-privacy-security-ehrs-hie.php
(10) The Office of the National Coordinator for Health Information Technology: http://dashboard.healthit.gov/quickstats/pages/breaches-protected-health-information.php
(11) The Ponemon Institute, Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data: http://www.ponemon.org/blog/sixth-annual-benchmark-study-on-privacy-security-of-healthcare-data-1
(12) U.S. Department of Health and Human Services Office for Civil Rights, Breach Portal: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
(13) Anti Phishing Working Group 1st Quarter 2016: http://docs.apwg.org/reports/apwg_trends_report_q1_2016.pdf
(14) HIMSS Analytics Quick HIT Survey: http://www.healthcareitnews.com/news/more-half-hospitals-hit-ransomware-last-12-months
(15) Symantec, Internet Security Threat Report 2016: https://www.symantec.com/security-center/threat-report
(16) Trend Micro, The Next Tier: http://www.trendmicro.co.uk/vinfo/uk/security/research-and-analysis/predictions/2017
(17) IS Decisions, Insider Threat Persona Study: http://www.isdecisions.com/insider-threat-persona-study/
(18) Vormetric Insider Threat report 2015: https://www.vormetric.com/campaigns/insiderthreat/2015/
(19) Intel, A Guide to the Internet of Things: http://www.intel.com/content/www/us/en/internet-of-things/infographics/guide-to-iot.html
(20) McKinsey & Company, Unlocking the Potential of the Internet of Things : http://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/the-internet-of-things-the-value-of-digitizing-the-physical-world
(21) Jama Network, Privacy Policies of Android Diabetes Apps and Sharing of Health Information: http://jamanetwork.com/journals/jama/fullarticle/2499265#jld150059r2
(22) PWC, Top Health Industry Issues of 2016: http://pwchealth.com/cgi-local/hregister.cgi/reg/pwc-hri-top-healthcare-issues-2016.pdf
(23) SpiceWorks, 2016 IOT Trends: The Devices Have Landed: https://www.spiceworks.com/marketing/reports/iot-trends/
(24) Verisign, Distributed Denial of Service Trends Report 1st Quarter 2016: https://www.verisign.com/en_GB/security-services/ddos-protection/ddos-report/index.xhtml
(25) HIMSS and Akamai, HIMSS Survey Uncovers Critical Weaknesses In Hospital Web Security: https://www.akamai.com/us/en/multimedia/documents/content/akamai-himss-survey-uncovers-critical-weaknesses-in-hospital-web-security-white-paper.pdf