2015: The Year of the Healthcare Data Breach
Many healthcare IT security professionals will be glad to see the back of 2015. It has been a bad year for the healthcare industry and attacks have come from all corners. Cybercriminals and hackers have been breaking through defenses, or in many cases just sidestepping them. Malicious insiders have stolen patient data, and negligence and human error continued to cause healthcare data breaches in 2015, exposing tens of thousands of patients’ health records.
2015: The Year of the Healthcare Data Breach
Previously the financial and retail sectors were the most targeted industries. Now it is the turn of the healthcare industry. Hackers and cybercriminals have not forgotten about credit card numbers, but there are far greater rewards to be gained from stealing medical records and Social security numbers. The data can be used by criminals to steal identities, file fraudulent tax returns, make bogus insurance claims, and obtain medical services. The data can be used for far longer than credit card numbers before fraud is detected, allowing thousands of dollars to be gained from each individual set of records. It is therefore no surprise that they are being targeted by hackers.
Cyberattacks on the Healthcare Industry in 2015
Even with the data security measures required by the Health Insurance Portability and Accountability Act, the healthcare industry was ill prepared to deal with the onslaught.
One of the biggest problems of the year was phishing. Phishing attacks enabled hackers break through the security defenses at Anthem and Premera Blue Cross and obtain tens of millions of healthcare records. 78.8 million records were stolen in the cyberattack on Anthem Inc., while 11 million records were stolen from Premera Blue Cross.
In the first half of the year, over 100 million records had been obtained by hackers and five of the top eight cyberattacks took place on HIPAA-covered entities – Health Insurers, healthcare providers, and their business associates. Half of the top ten data breaches during that period affected healthcare organizations.
The attacks did not stop after 6 months. During the second half of the year, another health insurer suffered a colossal data breach. Excellus BlueCross BlueShield suffered a cyberattack that exposed 10 million records. A further 4.5 million records were exposed in the cyberattack on UCLA Health, while Medical Informatics Engineering, a business associate of a number of HIPAA-covered entities, suffered a data breach that exposed 3.9 million records.
There are still a few days left of 2015 and not all data breaches will have been reported or even discovered; however, to date, the Department of Health and Human Services’ Office for Civil Rights has been notified of 254 healthcare data breaches in 2015. Those breaches have exposed the PHI of 113,199,087 individuals. To put that figure into perspective and to illustrate how dire 2015 has been, between January 1, 2010, and December 31, 2014, there were only 40,873,281 reported victims of healthcare data breaches.
This year, 12 data security incidents have been reported that have each exposed more than 100,000 records. 7 of those breaches affected health insurers and all but one was caused by hackers.
Biggest Healthcare Data Breaches of 2015
|Covered Entity||Records Exposed||Breach Type|
|Anthem Inc.||78,800,000||Hacking/IT Incident|
|Premera BlueCross||11,000,000||Hacking/IT Incident|
|Excellus BlueCross BlueShield||10,000,000||Hacking/IT Incident|
|UCLA Health||4,500,000||Hacking/IT Incident|
|Medical Informatics Engineering||3,900,000||Hacking/IT Incident|
|CareFirst BlueCross BlueShield||1,100,000||Hacking/IT Incident|
|Virginia Department of Medical Assistance Services (VA-DMAS)||697,586||Hacking/IT Incident|
|Georgia Department of Community Health||557,779||Hacking/IT Incident|
|Georgia Department of Community Health||355,127||Hacking/IT Incident|
|Beacon Health System||306,789||Hacking/IT Incident|
|Empi Inc. and DJO, LLC||160,000||Theft of an Unencrypted Laptop|
|Advantage Consolidated LLC||151,626||Hacking/IT Incident|
How Were Healthcare Organizations Attacked?
Phishing attacks caused the most damage in 2015. Malware disguised as documents were emailed to healthcare employees who unwittingly installed the malicious software onto their computers. By doing so they allowed attacks to be launched on their computer networks. Employees were also emailed links to malicious websites where they were fooled into revealing their login credentials.
As many healthcare organizations have moved to a cloud infrastructure, hackers have changed tactics and are now targeting cloud environments with increasing frequency. According to a recent Alert Logic study, there has been a 39% rise in brute force attacks on healthcare organizations’ cloud infrastructures. Brute force attacks bombard web servers and web applications with login and password variations. Weak passwords have allowed hackers an easy entry point.
Vulnerabilities were also exploited in out of date software and web browsers. IBM reported Shellshock to be a major attack vector in 2015, with vulnerabilities in GNU Bash shell exploited without the use of malware. Many data breaches were caused by employees simply taking data with them when they left their employment.
Outlook for 2016 Not Much Better
Even though the second half of 2015 saw fewer records exposed, the healthcare industry finished the year top of the data breach list of all industries. With hackers changing their methods of attack and continuing to target healthcare providers, the coming year could well see the healthcare industry top the data breach lists once again.
Attacks on medical devices are expected to increase over the course of the next 12 months, mobile devices will continue to be targeted, and if the past 12 months are anything to go by, healthcare employees, IT security professionals, and vendors will continue to make mistakes that expose PHI.
The only way to deal with the increasing threat of attack is to commit more funding to cybersecurity defenses, implement better monitoring systems, and provide more effective staff training. With a broad attack surface and only limited funding, it is also essential that budgets are effectively managed and put to the best possible use. The sheer volume of attacks is placing more pressure on healthcare organizations to encrypt all PHI and user passwords, whether data is in transit or at rest.
As Office for Civil Rights investigations have shown, HIPAA-covered entities are still not performing comprehensive risk assessments. Unless the entire infrastructure is assessed, security vulnerabilities will be allowed to persist. With no shortage of hackers keen to exploit those vulnerabilities, and malware-as-a-service being offered to the less technically gifted cybercriminals, any HIPAA-covered entity that fails to identify and address security vulnerabilities could be in for a particularly tough 2016.