US healthcare organisations, including hospitals, are increasingly vulnerable to medical device hijacks as well as the growing ransomware threat, according to a new study by security vendor TrapX.
A total of 93 major attacks occurred during 2016. Hackers were responsible for almost a third (31.42 per cent) of all major HIPAA (Health Insurance Portability and Accountability Act) data breaches reported in 2016, a four-fold increase in the last three years.
In 2014 cyber attackers were responsible for 9.77 per cent of the total major HIPAA data breaches, a figure that increased in 2015 to 21.11 percent.
Last year witnessed some of the largest healthcare security breaches in history. Three major healthcare cyberattacks compromised Excellus BlueCross BlueShield (10 million records), Premera Blue Cross®(11 million records), and Anthem Blue Cross (78.8 million records).
In the 57 attacks documented last year, approximately 112 million data records were breached. This year the number of actual records breached decreased to approximately 12 million even as the number of attacks increased by 63 per cent.
The 10 most significant breaches this year are itemised in TrapX's press release on its study here.
Criminal hackers represent a large and growing threat to both the protection of patient healthcare data and healthcare operations, TrapX warns.
“Through our ongoing research, TrapX Labs continues to uncover hijacked medical devices [MEDJACK} that attackers are using as back doors into hospital networks,” said Moshe Ben-Simon, co-founder and vice president of services at TrapX Labs
“Once inside the network, these attackers move laterally in search of high-profile targets from which they can ultimately exfiltrate intellectual property and patient data. Unfortunately, hospitals do not seem to be able to detect [these attacks] or remediate it.”
Devices vulnerable to a MEDJACK attack include diagnostic equipment such as PET and CT scanners and MRI machines; therapeutic equipment such as infusion pumps, medical lasers and laser eye surgery machines; and life support equipment such as heart-lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines. A previous study (registration required) by TrapX explains how hackers might be able to abuse medical device vulnerabilities to hack into hospital networks.
In addition to MEDJACK attacks, cybercriminals are increasingly turning to ransomware as a means to extort money from healthcare institutions. Ransomware is easier to manufacture and deploy than MEDJACK and other attack methods.
Healthcare institutions are specifically targeted because they have the financial depth to afford the payments, and they have the incentive to make them because of the threat to critical patient care and ongoing operations, according to TrapX.
“Lack of new technology and associated best practices make it very difficult for hospitals to detect and remediate ransomware attacks. We expect to see an increase in the number of incidents in 2017,” Ben-Simon warned.
TrapX’s 2016 Year-End Healthcare Cyber-Breach Report can be found here (pdf). ®