By Clive Riddle, February 17, 2017
CynergisTek has just released Redspin’s annual cybersecurity Breach Report: 2016: Protected Health Information (PHI). Their 21-page seventh annual report “provides in-depth analysis of the causes of PHI breaches reported to the Department of Health and Human Services and the overall state of cybersecurity in healthcare.”
The report cites that in 2016 there were:
- · 325 large breaches of PHI, compromising 16,612,985 individual patient records
- · 3,620,000 breached patient records in the year’s single largest incident
- · 40 percent of large breach incidents involved unauthorized access/disclosure
- · over a dozen providers reported in media as having been victims of ransomware attacks with PHI breaches
The report lists the largest 2016 hacking attack on providers as affecting Banner Health with 3.62 million patient records breached, followed by 21st Century Oncology with 2.2 million records breached. Of large breaches, they state 78% involved providers, 16% health plans and 6% healthcare vendors.
The report makes particular note of “the scourge of Ransomware” and cite that in 2016 there was $1 billion overall in ransomware payments worldwide impacting all types of businesses and consumers The report cautions this will get worse in 2017, as “late last year, disturbing reports surfaced regarding the rise of ‘ransomware as a service’ (RaaS) – a business model in which malware authors enlist ‘distributors’ to launch the initial attacks (likely weaponized phishing emails) and then share in any profits. The potential accomplices do not need much technical expertise or capital to get started. Some ransomware kits cost as little as $100 dollars.”
Becker's Health IT & CIO Review featured an article: Get ready for hospital ransomware attacks 2.0 also cautions about a growing ransomware threat this year, stating "here are three tactics we've seen in the wild that are likely to become more widespread in 2017. Beyond encryption: 3 ways criminals are making their attacks more disruptive," and they go on to list and describe:
1) Developing ransomware strains that spread like a virus
2) Creating new versions of ransomware that disable the victim systems
3) Turning ransomware attacks into data breach events
The Department of Health and Human Services has weighed in, offering an eight page FACT SHEET: Ransomware and HIPAA, in which they cite “a recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015).
The healthcare ransomware threat certainly isn't focused just on the U.S., and is a global issue. New research based on a Freedom of Information (FOI) request has revealed that 34% of NHS trusts in the UK have suffered a ransomware attack in the last 18 months.