A rise in ransomware incidents and targeted data breaches caused more than 27 million health care patient records to be compromised last year, according to research compiled by security firm Protenus in collaboration with data breach news website DataBreaches.net.
Across the country, as public awareness about cyberthreats has increased, so too has the prominence of cyberattacks aimed specifically at the health care sector.
Cybercriminals remain interested in pilfering these databases because health care data continues to be valuable on the black market. Stolen medical records can be used to accomplish fraud schemes, for blackmail purposes and to submit illicit prescription requests, among other things, CyberScoop previously reported.
Protenus’ report notes that a total of 450 data breaches were disclosed by health care providers in 2016 — a figure that likely underestimates the actual number of incidents given the tendency to avoid public reporting.
Of the 450 known breaches, roughly 190 involved an insider — someone with regular, condoned access to a confidential system — either leaking or mishandling sensitive information. On average, affected health care providers were unaware of the breach for roughly 600 days.
“2016 demonstrated the continued persistence of insider threats (43% of incidents), despite the fact that headlines were dominated by external actors (26.8% of incidents),” Protenus co-founder Robert Lord told CyberScoop. “While this is a perennial challenge, the severity of the delay between breach and detection in the case of malicious actors was deeply troubling and quite surprising.”
Ransomware is particularly troublesome for the sector because it can have dire consequences for operations and patient treatment. The popular variant of malware encrypts a victims’ data, holding it ransom until an anonymous digital payment is made to the adversary. In 2016 alone, more than 14 U.S. hospitals were infected with ransomware.
“It’s likely that increasingly sophisticated types of ransomware will … plague the sector, as we can see an evolution on this front. This is something you’ll hear from most experts,” Lord said. “However, we also believe that 2017 will be the year of insider breach awareness. Fundamentally, we haven’t seen the dangerous trends in insider breaches change, but we’re finally seeking an acknowledgement in the sector that the time to act is now.”
The FBI has consistently dissuaded U.S. companies from paying the ransom associated with ransomware. Even so, it’s become common for victims to bypass U.S. law enforcement when mitigating an attack.
“We have discovered that the majority of our private partners do not turn to law enforcement when they face an intrusion. And that is a very big problem. It is fine to turn to one of the many excellent private sector entities that will help with attribution and with remediation — that’s good. But we have to get to a place where it is routine for people who are victimized to turn to us for assistance,” FBI Director James Comey said in September during a cybersecurity business conference in Washington, D.C.
A survey conducted by KPMG found that 81 percent of 223 participating health care executives had experienced a cyberattack at their respective facilities in 2015.