Share this article on:
Following the introduction of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its Wall of Shame. August saw an unwanted milestone reached. There have now been more than 2,000 healthcare data breaches (impacting more than 500 individuals) reported to OCR since 2009.
As of today, there have been 2,022 healthcare data breaches reported. Those breaches have resulted in the theft/exposure of 174,993,734 individuals’ protected health information. Healthcare organizations are getting better at discovering and reporting breaches, but the figures clearly show a major hike in security incidents. In the past three years, the total has jumped from around 1,000 breaches to more than 2,000.
The recent KPMG 2017 Cyber Healthcare & Life Sciences Survey showed that 47% of healthcare organizations have experienced a data breach in the past two years, up from 37% in 2015 when the survey was last conducted. An ITRC/CyberScout study showed there has been a 29% increase in data breaches so far in 2017.
In contrast to other industries, the biggest cause of data breaches is insiders (Protenus/databreaches.net): Both deliberate actions by ‘bad apples’ and accidental breaches as a result of simple errors and negligence. Hacking (including malware/ransomware attacks) is the second biggest cause.
Healthcare Organizations Should Not Ignore the Threat from Phishing
Many healthcare data breaches occur as a result of phishing. Research conducted by PhishMe suggests 91% of data breaches start with a phishing email, with the attackers using phishing to obtain login credentials or install malware/ransomware.
A recent Global Threat Intelligence Report released by NTT Security showed the extent to which phishing is used to distribute malware. In Q2, 2017, 67% of malware attacks saw malware delivered via phishing emails.
Jon Heimerl, manager of the Threat Intelligence communications team, pointed out that while phishing is used extensively to spread malware, it isn’t often rated as one of the biggest threats. Heimerl said, “I have not seen any studies where CISOs are saying their No. 1 concern is phishing attacks. If you went around a room, it would likely be ransomware and DDoS as the No. 1 and No. 2 things on their mind, in my view.”
Countering the threat from phishing requires software solutions to block spam emails from being delivered to end users, security awareness training to teach employees how to identify email threats, and phishing simulations to put security awareness training to the test and identify vulnerable individuals in need of further training.
New Exploit Kit and Recent Ransomware Attacks Highlight Importance of Prompt Patching
Email remains the main delivery vector for malware, although the WannaCry attacks showed that malware can easily be installed if patch management practices are poor. The ransomware attacks were made possible thanks to the release of exploits by the hacking group Shadow Brokers and poor patching practices. Prompt patching would have protected organizations against WannaCry.
Exploit kits also pose a threat. Exploit kits are web-based tools that probe for vulnerabilities in browsers and plugins. Exploits are loaded to the kit that are used to silently download malware when a visitor to a domain hosting the kit is discovered to have a vulnerable browser.
This week, a new exploit kit has started to be offered on underground forums at cut price rates. For as little as $80 a day, cybercriminals can rent the new Disdain exploit kit and use it to spread malware. Exploit kit activity has fallen over the past 12 months, although the threat of web-based attacks should not be ignored.
The Disdain exploit kit can leverage at least 15 vulnerabilities to download malicious payloads, including vulnerabilities in Firefox (CVE-2017-5375, CVE-2016-9078, CVE-2014-8636, CVE-2014-1510, CVE-2013-1710), Internet Explorer (CVE-2017-0037, CVE-2016-0189, CVE-2015-2419, CVE-2014-6332, CVE-2013-2551), IE and Edge (CVE-2016-7200), Adobe Flash (CVE-2016-4117, CVE-2016-1019, CVE-2015-5119), and Cisco Web Ex (CVE-2017-3823). While many of these vulnerabilities are relatively new, patches have been released to address all of the flaws.
To reduce the risk of exploit kit attacks, healthcare organizations should ensure all browsers are updated automatically and regular checks are performed to ensure all employees are using the latest versions. A web filtering solution is also beneficial to block access to domains known to be used for malware distribution, host exploit kits or phishing.