Attacks targeting healthcare organizations just won’t let up. In early June, the University of California San Francisco (UCSF) announced that their IT team identified a limited security breach within a part of the UCSF School of Medicine’s IT environment.
According to an account shared by UCSF on its website, the IT team quarantined a small number of IT systems within the School of Medicine, and claimed to have successfully insulated the attack from the primary network of the UCSF and that there was no indication that patient care was negatively impacted in any way.
However, the ransomware did manage to grab ahold of several systems. “While we stopped the attack as it was occurring, the actors launched malware that encrypted a limited number of servers within the School of Medicine, making them temporarily inaccessible. Since that time, we have been working with a leading cyber-security consultant and other outside experts to investigate the incident and reinforce our IT systems’ defenses. We expect to fully restore the affected servers soon,” the school reported.
While the school’s investigation continues, so far that investigation doesn’t show any indication that the attack targeted the UCSF, instead the attackers sought to infect any systems they could and the UCSF proved itself a viable opportunity. The attack turned out to be a ransomware attack, and encrypted the UCSF’s servers. “The attackers obtained some data as proof of their action, to use in their demand for a ransom payment. We are continuing our investigation, but we do not currently believe patient medical records were exposed. As additional facts become known, we will provide further updates,” the school said.
The healthcare industry is regularly hit hard by data breaches. According to the recent ForgeRock 2020 Consumer Identity Breach Report, healthcare accounts for 45% of data breaches. These breaches cost the healthcare industry nearly $18 billion, according to the report, with each breached record costing about $429. Indeed, the healthcare industry was first, and it didn’t even come close. The second most breached vertical proved to be banking/insurance/financial at 12%.
According to ForgeRock, 2020 didn’t start out any better. In the first quarter, the healthcare sector comprised about half, 51%, of all breaches. “The ongoing pandemic and the resulting explosion of telehealth practices, as well as endless related new health-related apps for people to download and try, are accelerating security risks,” the report stated.
The ForgeRock report highlighted the international risk to healthcare organizations, including the U.K.’s National Health Service stating that it fended off roughly 12,000 daily phishing attacks. “While the healthcare sector in Australia reported the most data breaches compared to others every year since 2017. In the U.S., healthcare remained the top breach target since the previous year’s report, with breaches costing the industry nearly $18B and personal health information commanding a 6x premium,” ForgeRock wrote.
June was another active month in healthcare security. On June 24, Miami-based Cano Health announced it had been breached in April, as a result of email accounts being accessed without authorization, and it affected the security of about 28,000 patients, who had their names, date of birth, address, financial and Social Security numbers disclosed.
On June 19, a story broke that Springfield, Pa.-based Crozer-Keystone Health System was hit with a ransomware attack conducted by the NetWalker group, which it auctioned on the dark web.
Yet another successful phishing attack led to New Mexico—based Presbyterian Healthcare to alert 183,000 patients that their private information had been compromised. According to KRQE, Presbyterian Healthcare said ast year there was unauthorized access to customers’ private information as a result of a successful phishing attack. The information stolen medical ID numbers, names, birth dates, and email addresses.
University of Utah Health announced in early June that someone without authorization accessed a number of employee email accounts from Apri; 6 though May 22, 2020. “The investigations determined that some patient information was contained in the email accounts, which may have included patient names, dates of birth, medical record numbers, and limited clinical information related to the care patients received at U of U Health facilities,” the University said.
The attacks on hospitals and healthcare organizations aren’t about to stop soon, and it’s not just a challenge in the United States. Recently, European Commission President Ursula von der Leyen warned that China has been targeting hospitals and health care providers throughout the pandemic. "We've seen attacks … on computer systems, on hospitals, and we know the origin of the cyberattacks," von der Leyen said after a videoconference with China's President Xi Jinping. "We put together the facts and the figures necessary to know."
"We pointed out clearly that this cannot be tolerated," she added, as was quoted by Politico EU, pointing to China's use of disinformation to distort the public debate around the coronavirus pandemic.
When it comes to data breaches, healthcare organizations have a somewhat different mix of threat actors they face. According to the 2019 Verizon Data Breach Investigations Report (DBIR), the majority of data breaches in healthcare involve internal actors, or trusted insiders. The DBIR found that 59% of data breaches in healthcare involved someone on the inside, and 4% trusted partners.
That year’s DBIR also found that the most common motive for those attacking healthcare organizations is profit, with 83% involving financial gain. That year’s DBIR also found that human error accounted for 21% of breaches, and also found that healthcare suffers from the highest number of internal bad actions — most likely because those insiders have access to credentials.
These healthcare security challenges aren’t likely to let up any time soon. As I wrote in April, there’s been a steady rise in healthcare related data breaches. According to the Protenus Breach Barometer report, there were 572 healthcare data breaches within U.S.-based healthcare industry in 2019 and 450 in 2016. While in 2018 there were 15 million patient records leaked, that rose to 41 million in 2019. According to the Protenus report, since 2016 a healthcare data breach has occurred daily.