Cyberattacks affecting healthcare institutions in the United States increased by 63% year over year to a total of 93 major attacks, according to a recent report. Sophisticated cyberattackers were responsible for 31.42% of all major HIPAA data breaches reported in 2016, which is a 300% increase over the last three years.
The “2016 Year-End Healthcare Cyber Breach Report” comes from TrapX, a company providing cybersecurity defense. (The full report is available online at: https://goo.gl/3lBQ5O.)
To give some context as to how pervasive attacks on healthcare institutions have been, the report notes that in 2014, cyberattackers were responsible for 9.77% of the total major HIPAA data breaches, which increased to 21.11% in 2015.
Medical Device Hijacking
The company also cautions that the hijacking of medical devices, called a MEDJACK, is on the rise. Moshe Ben-Simon, co-founder and vice president of services, said in a statement announcing the report that MEDJACKs can facilitate access to more than just the device.
“Through our ongoing research, TrapX Labs continues to uncover hijacked medical devices (MEDJACK) that attackers are using as back doors into hospital networks,” he said. “Once inside the network, these attackers move laterally in search of high-profile targets from which they can ultimately exfiltrate intellectual property and patient data. Unfortunately, hospitals do not seem to be able to detect MEDJACK or remediate it. The great majority of existing cyberdefense suites do not seem able to detect attackers moving laterally from these compromised devices.”
The list of devices vulnerable to a MEDJACK attack is large and includes diagnostic equipment such as PET and CT scanners and MRI machines; therapeutic equipment such as infusion pumps, medical lasers, and laser eye surgery machines; and life support equipment such as heart-lung machines, medical ventilators, extracorporeal membrane oxygenation machines, and dialysis machines.
Hackers More Sophisticated
Hackers have evolved and are now increasingly targeting medical devices that use legacy operating systems that contain known vulnerabilities, the report says. By camouflaging old malware with new techniques, the attackers are able to successfully bypass traditional security mechanisms to gain entry into hospital networks and ultimately to access sensitive data. (A report on that technique is available online at: http://bit.ly/28YKYDJ.)
Keep Up with Changing Defense Technology
To defend against these attacks, the company recommends that hospital staff review budgets and cyberdefense initiatives at the organizational board level and consider bringing in new technologies that can identify attackers that have already penetrated their networks. In addition, healthcare organizations need to implement strategies that review and remediate existing medical devices, better manage medical device end of life, and carefully limit access to medical devices, the company advises. Healthcare organizations also are increasingly vulnerable to ransomware attacks, Ben-Simon said.
“Lack of new technology and associated best practices make it very difficult for hospitals to detect and remediate ransomware attacks. We expect to see an increase in the number of incidents in 2017,” he said.