SAN MATEO, Calif.—December 22, 2016 — TrapX™, a global leader in advanced cybersecurity defense, today announced the availability of its “2016 Year-End Healthcare Cyber-Breach Report.” The research, which was conducted by TrapX Labs, indicates that the continued wave of cyberattacks impacting healthcare institutions in the United States increased by 63 percent year-over-year to a total of 93 major attacks. The data also shows sophisticated cyber attackers are now responsible for 31.42 percent of all major HIPAA data breaches reported in 2016, which is a 300 percent increase in the last three years. The full report can be downloaded here: https://goo.gl/3lBQ5O
To give some context as to how pervasive attacks on healthcare institutions have been, in 2014 cyber attackers were responsible for 9.77 percent of the total major HIPAA data breaches, and this increased in 2015 to 21.11 percent. These sophisticated and persistent cyber attackers are a huge threat to the protection of patient healthcare data and critical healthcare operations and ultimately present a direct physical risk to the patients themselves.
Medical Device Hijacks and Ransomware on the Rise
“Through our ongoing research, TrapX Labs continues to uncover hijacked medical devices (MEDJACK) that attackers are using as back doors into hospital networks,” said Moshe Ben-Simon, co-founder and vice president of services at TrapX Labs “Once inside the network, these attackers move laterally in search of high-profile targets from which they can ultimately exfiltrate intellectual property and patient data. Unfortunately, hospitals do not seem to be able to detect MEDJACK or remediate it. The great majority of existing cyber-defense suites do not seem able to detect attackers moving laterally from these compromised devices.”
The list of devices vulnerable to a MEDJACK attack is large and includes diagnostic equipment such as PET and CT scanners and MRI machines; therapeutic equipment such as infusion pumps, medical lasers and laser eye surgery machines; and life support equipment such as heart-lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines.
In June, TrapX Labs issued its report “Anatomy of an Attack – Medical Device Hijack 2,” which chronicles how attackers have evolved and are now increasingly targeting medical devices that use legacy operating systems that contain known vulnerabilities. By camouflaging old malware with new techniques, the attackers are able to successfully bypass traditional security mechanisms to gain entry into hospital networks and ultimately to access sensitive data. That report can be downloaded here: http://deceive.trapx.com/WPMEDJACK.2_210LandingPage.html
To mitigate these attacks going forward, TrapX recommends that hospital staff review budgets and cyber-defense initiatives at the organizational board level and consider bringing in new technologies that can identify attackers that have already penetrated their networks. In addition, healthcare organizations need to implement strategies that review and remediate existing medical devices, better manage medical device end-of-life and carefully limit access to medical devices. It becomes essential to leverage technology and processes that can detect threats from within hospital networks.
In addition to MEDJACK attacks, cybercriminals are increasingly turning to new strains of ransomware to extort money from healthcare institutions. In August, TrapX identified more than 2,000 variations of ransomware that employ different methods of attack on the network. Ransomware is easier to manufacture and deploy than MEDJACK and other attack methods, and organized crime is investing significantly in improving tool sets. Healthcare institutions are specifically targeted because they have the financial depth to afford the payments, and they have the incentive to make them because of the threat to critical patient care and ongoing operations. In October 2016 several hospitals in the United Kingdom experienced a ransomware attack that forced them to cancel hospital operations, including scheduled surgical procedures, for a period of several days.
“Lack of new technology and associated best practices make it very difficult for hospitals to detect and remediate ransomware attacks. We expect to see an increase in the number of incidents in 2017,” Ben-Simon continued.
To address ransomware, TrapX introduced CryptoTrap in August this year, which was specifically designed to ensure customers are protected from all forms of ransomware. CryptoTrap is also setting an industry first by leveraging deception technology to hold ransomware attacks captive while security teams are alerted to remediate the threat. What is more, when paired with the DeceptionGrid™ Advanced Incident Response (AIR) module, which extends and automates incident response, CryptoTrap becomes the only deception-based ransomware tool on the market that can also offer deep forensics on attack details. This allows security teams to analyze the threat and tailor defenses accordingly.
Top Ten Healthcare Cyberattacks of 2016
2015 witnessed some of the largest healthcare breaches in history. Three major healthcare cyberattacks compromised Excellus BlueCross® BlueShield® (10 million records), Premera Blue Cross® (11 million records), and Anthem Blue Cross (78.8 million records). In the 57 attacks documented that year, approximately 111,812,172 data records were breached. In 2016, the number of records breached decreased to approximately 12,057,759; however, the number of attacks increased by 63 percent to 93 documented data breaches.
Following are the top 10 healthcare cyberattacks of 2016, based on the number of protected health information (PHI) data records breached. The dates are not necessarily based upon the date of the attack but on the date when mandatory reporting to the Department of Human Health and Services, Office of Civil Rights, was submitted.
- Banner Health®: In August this year, this health system reported that approximately 3,620,000 patient records were breached, making this the single largest healthcare data breach reported so far in 2016.
- Newkirk Products, Inc.: Also in August, this company, which is part of Broadridge® Financial Solutions, was attacked and approximately 3,446,120 records were potentially compromised.
- 21st Century Oncology: In March, 21st Century Oncology was breached and approximately 2,213,597 former and current patients were affected.
- Valley Anesthesiology Consultants, Inc.: In August, Valley Anesthesiology Consultants announced they were potentially breached during an ongoing cyberattack that occurred between March 30 and June 13, 2016. 882,590 records were affected.
- Peachtree Orthopedic Clinic: In November, this provider of orthopedic services headquartered in Atlanta, Georgia, notified 531,000 patients of a cyberattack that had compromised their protected health information.
- Central Ohio Urology Group, Inc.: In May, the group reported an August 2015 cyberattack that affected 300,000 patients.
- Southeast Eye Institute, P.A. (doing business as Eye Associates of Pinellas): In May, the institute was notified by Bizmatics, a major provider of medical practice software serving over 15,000 medical practices, that it had suffered a breach that impacted 87,314 individuals.
- Medical Colleagues of Texas, LLP: Also in May, Medical Colleagues of Texas reported a breach that affected approximately 68,631 individuals.
- Urgent Care Clinic of Oxford: In September, the clinic reported that approximately 64,000 individuals were impacted when the organization was breached.
- Alliance Health Networks, LLC: In February, Alliance Health Networks reported that one of its patient databases had been left accessible via the Internet; this may have resulted in the protected health information of 42,372 patients being exposed for a period of 30 months.
Report Methodology
The 2016 Year-End Healthcare Cyber-Breach Report shares data on all major cyberattacks in the United States reported between January 1, 2016, and December 10, 2016. Some of these breaches may have been ongoing prior to the start of 2016, but to retain consistency the report only used the official reporting dates to the HHS OCR that fall within 2016.