Hacking still healthcare's top threat, but insider threats often go unnoticed

More than half of August’s breaches were caused by hacking incidents, while one insider hack went undetected for two years, according to the latest Protenus Breach Barometer.
By Jessica Davis
03:51 PM
Share
inside cyberthreats go unnoticed

Healthcare is still struggling with two major threats: hacking and insider threats, according to the August Protenus Breach Barometer released on Wednesday.

Protenus analyzed data compiled from the U.S. Department Health and Human Services’ Office of Civil Rights breach reporting tool and research from DataBreaches.net.

Since the start of 2017, the rate of breaches has steadily paced at about one breach a day -- often more. August followed that trend with 33 breach incidents. For 31 of the breaches for which the researchers had data, 673,934 patient records were compromised.

[Also: The biggest healthcare breaches of 2017 (so far)]

The largest incident in August breached 266,123 patient records in a ransomware attack on Pacific Alliance Medical Center.

Hacking caused 54.5 percent of incidents in August. When compared to insider threats -- accounting for 27.3 percent of breaches -- hacking outweighed insiders both in frequency and the number of patient records breached.

There were 18 hacking incidents in August, with ransomware causing five of the breaches. However, researchers explained there may have been more, but the data was unclear. One organization actually had two phishing attacks in a matter of months.

Further, a few of these hacking incidents were caused about a resurgence of attacks on unsecured MongoDB installations and Rsync backup devices, which wiped or ransomed the devices.

“While it is unclear how many of breached installations or servers contained health or patient data, this should remind healthcare organizations to check configuration settings and test the security of all backup servers and devices,” the researchers said.

Another notable takeaway from August was an increase in extortion attempts and ransom demands directly from the hacker, the report found. Most media accounts, notification letters and HHS reports fail to mention extortion attempts.

One incident disclosed in August was caused by the notorious hacker known as TheDarkOverlord, but was omitted from the public disclosure. It also failed to mention TDO had already dumped 10,000 patient records for sale on the dark web.

“This information reinforces that the HHS tool does not provide the full picture of how health data breaches are truly affecting healthcare,” the researchers said.

What’s concerning is the average number of days it took these organizations to discover a breach: 138 days. While the median is just 31 days, it highlights disparities in detection when comparing hacking to insider breaches.

Some organizations found breaches nearly immediately, while another organization had an ongoing breach for two years as a result of insider wrong-doing. Almost 5,000 patient records were breached, but went completely unnoticed during that time.

“Generally, hacking incidents are discovered much sooner than insider incidents because of the disruption to the organization’s daily operations,” the researchers said. “Additional analyses will be conducted going forward to see if this is an emerging trend or if this is directly associated with the influx of hacking incidents.”

Sign up for the Healthcare IT News Privacy & Security Update newsletter.  

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com