Report: Ransomware Attacks Against Healthcare Orgs Increased 89 Percent in 2017

Jan. 8, 2018
The number of reported major IT/hacking events attributed to ransomware by health care institutions increased by 89 percent from 2016 to 2017, according to cyber defense firm Cryptonite’s 2017 Healthcare Cyber Research Report.

The number of reported major IT/hacking events attributed to ransomware by health care institutions increased by 89 percent from 2016 to 2017, according to cyber defense firm Cryptonite’s 2017 Healthcare Cyber Research Report, which used data reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

The research conducted by Rockville, Md.-based Cryptonite looks at healthcare cyber attack activity last year and finds that 2017 was a very challenging year for healthcare institutions as these organizations remain under sustained attack by cyber attackers that continue to target their networks through the use of well understood vulnerabilities. According to the report, there were a total of 140 data breach events characterized and reported to HHS OCR as IT/hacking in 2017, representing an almost 24 percent increase over the 113 IT/hacking events reported in 2016. For an historical view, there were 57 reports for IT/hacking in 2015 and 35 reports in 2014.

The number of reported major IT/hacking events attributed to ransomware by health care institutions increased by 89 percent from 2016 to 2017. This was an increase from 19 reported events in 2016 to a total of 36 events in 2017. In 2017 ransomware events represented a quarter of all events reported to HHS/OCR and attributed to IT/hacking.

All six of the six largest IT/hacking healthcare events reported in 2017 were attributed to ransomware, according to the report.

The research found that there were 3,442,748 records reported compromised in 2017, a substantial decrease from 13,425,263 reported compromised in 2016 as cyber attackers diversified their attacks against a broader mix of healthcare entities.

“In past years, cyber criminals invested considerable time and effort in targeting the largest healthcare institutions as evidenced by the 2015 events impacting Anthem (78.8 million records), Premera Blue Cross (11 million records) and by the 2016 events impacting Banner Health (3.6 million records) and Newkirk Products (3.4 million records),” the report authors wrote. “This low hanging fruit has to some extent, been harvested and attackers are now increasingly turning their attention to the broader mix of health care entities.”
What’s more, the report authors note that the emergence and refinement of advanced ransomware tools lowers both the cost and the time for cyber attackers to target smaller healthcare institutions – now they can cost effectively reach physician practices, surgical centers, diagnostic laboratories, MRI/CT scan centers and many other smaller yet critical healthcare institutions. And, the report authors predict that this is the beginning of a trend that will increase very substantially in 2018 and 2019.

Internet of Things (IoT) devices in healthcare also represent new and expanding opportunities for cyber attackers. “Cyber attackers target healthcare networks primarily for two primary reasons – to steal the medical records they contain or to extort ransom payments. Medical records are the targets of choice, as this data is highly prized to support identity theft and financial fraud,” Michael Simon, president and CEO of Cryptonite, said in a statement. “While 2017 was the year of ransomware, we are anticipating this already hard-hit sector will feel the wrath of cyber criminals targeting the hundreds of thousands of IoT devices already deployed in healthcare. Internet of Things (IoT) devices are now ubiquitous in health care – they are already present in intensive care facilities, operating rooms and patient care networks.”

According to Cryptonite researchers, medical records represent the most comprehensive set of records for an individual, rivalling those records stored within credit bureaus for completeness and criminal utility. For these reasons medical records are attractive for sale on the dark web where they continue to demand high premiums from criminal purchasers. Despite the value of a health care medical record, their price on the dark web is decreasing due to the massive quantity of medical records already listed for sale. In 2012, for example, the price of a medical record often went for as much as $50. In 2017 the price of a typical medical record has been as high as $10 with the average price as low as $.50 to $1.00 per record, the report states.

The researchers concluded in the report that no category of health care has been able to avoid these cyber attacks. This has included health care insurers, hospitals, physician practices, physician organizations (accountable care organizations - ACOs, independent physician organizations - IPAs, and managed care organizations - MCOs) and a broad variety of other important health entities such as surgical centers, skilled nursing facilities, urology centers, vision surgical centers, cancer treatment centers, MRI/CT-scan centers and diagnostic laboratories.

“Less than ten years ago, most physicians updated patient records manually and stored them in color coded file systems. By the end of 2017 industry data suggests that approximately 90 percent of the office-based physicians have moved to use an electronic system (electronic health records - EHR / electronic medical records - EMR) for the storage, retrieval and management of this electronic health data. Virtually all of these systems are online and internet accessible,” the report authors wrote. “All of this creates a perfect storm for cyber attackers and sets the stage for a continued successful breach of electronic protected health care information.”

The report also offers a number of recommendations for healthcare organizations to strengthen their cybersecurity profile. “It becomes imperative to deploy a comprehensive strategy both to detect and deter the sophisticated attacker moving through the network, as well as the multitudes of ransomware tools that they will deploy into 2018 and 2019,” the report states.

New best practices and the technologies that support them, such as network micro-segmentation, can detect and defeat many of the attacks leveraged by vulnerabilities found in most health care networks, the report states. “The speed of detection response is always of the essence. A Zero Trust environment can be constructed by combining moving target cyber defense (MTD) and network micro-segmentation technologies. A Zero Trust environment allows health care networks to stop and defeat attackers, ransomware, and insider threats,” the report states.