Healthcare Hacker Attacks: No End In SightBanner Health Care the Latest in Series of Cyberattack Victims This Year
Once federal regulators confirm the details, the recent cyberattack on Banner Health Care, which may have compromised the data of as many as 3.7 million individuals, likely will be the largest healthcare data breach reported so far in 2016 - a year that's seen a string of disturbing hacker attacks in the sector.
For example, a series of organizations have been targeted with ransomware attacks. One hacker claimed to offer 10 million stolen records for sale on the dark web. And a long list of organizations discovered they were victimized by the hacking of a records software vendor.
Massive health data breaches "are not going away anytime soon and, in fact, they will get worse," says Jay Trinckes, director of security consulting firm Coalfire's healthcare and life sciences practice. "As hackers become more sophisticated and organizations try to play catch up, we will see more reports of these types of breaches. Until organizations place a higher, ongoing emphasis on security, our private healthcare data will be at risk."
Of 165 major healthcare data breaches - not yet including the Banner Health attack - added to the Department of Health and Human Service's Office for Civil Rights' "wall of shame" tally so far this year, nearly a third are listed as hacking incidents. Those 51 breaches impacted 2.8 million individuals.
As of Aug. 5, the OCR tally of major health data breaches listed 1,624 incidents affecting a total of 159.2 million individuals since federal regulators began keeping track in September 2009. And while hacker incidents represent less than 13 percent of the total breaches, those incidents account for an astounding 74 percent of the individuals affected.
Unusual Twist to Banner Health Attack
Arizona-based Banner Health, which operates 29 hospitals, revealed on Aug. 3 that it's notifying millions of individuals that their data was exposed in a "sophisticated cyberattack."
Banner Health says the breach started when attackers gained unauthorized access to payment card processing systems at some of its food and beverage outlets. That apparently also opened the door to the attackers accessing a variety of healthcare-related information.
A Banner Health spokeswoman tells Information Security Media Group that the organization is working with the FBI in the investigation of the attack, which she says involved malware.
Because Banner Health says its breach started with an attack on payment systems, it stands out from other recent hacker breaches on other healthcare sector organizations. While attacks on payment systems have plagued the retail sector, they haven't been as widely reported by healthcare entities.
"What makes the Banner Health breach more concerning is the question of how did hackers access healthcare systems [after breaching payment systems at] food/beverage outlets when these networks should be completely separated from one another," Trinckes says. "Healthcare system networks are very complex and become more complicated as other business functions are added to the infrastructure - even those that don't necessarily have anything to do with systems handling protected health information."
Rebecca Herold, CEO of The Privacy Professor and co-founder of SIMBUS360 Security and Privacy Services, says breaches involving payment systems at healthcare organizations are frequently undetected. "Such systems are often maintained separately from the rest of the network, and often with the heavy involvement of the vendor who is supporting the systems. The POS systems have been shown to be notoriously lacking in strong security protections - yes, even when they have passed all PCI DSS [Payment Card Industry Data Security Standard] requirements."
The Banner Health cyberattack comes after reports of a number of other significant hacker attacks in the healthcare sector in recent months.
Those include multiple attacks by a hacker calling himself The Dark Overlord, who claimed to have breached databases of a number of healthcare entities, grabbing about 10 million patient records that he's offering for sale on the dark web (see 4 Stolen Health Databases Reportedly for Sale on Dark Web).
The Dark Overlord has been trying to extort ransoms from the breached entities, with threats of putting the stolen data up for sale.
Among the healthcare providers that have recently confirmed cyberattacks by The Dark Overlord is Athens Orthopedic Clinic in Georgia.
Data for at least 1,500 Athens Orthopedic patients was recently posted on Pastebin after the clinic missed a The Dark Overlord "ransom" deadline, according to DataBreaches.net.
Although the Athens Orthopedic incident does not yet appear on the HHS wall of shame tally, a breach report by another suspected victim of The Dark Overlord - Missouri-based Midwest Orthopedic Pain and Spine - was recently added to the list. That hacking incident, reported to HHS on July 26, affected more than 29,000 individuals.
In yet another hacker attack involving the theft of records, Ukrainian hacktivists recently stole more than 100,000 internal documents and patient records from Central Ohio Urology Group, in Gahanna, Ohio, DataBreaches.net reports. Unlike some other attacks that involve ransom demands, the hackers in the Ohio case allegedly said the attack was "for political purposes," DataBreaches.net reports.
In another trend this year, many healthcare sector organizations - including Hollywood Presbyterian Medical Center, Methodist Hospital in Kentucky and at least two California hospitals operated by Prime Healthcare - have been victims of ransomware attacks (see Hospital Ransomware Attacks Surge, So Now What?).
In addition, MedStar Health, a 10-hospital system serving Maryland and the Washington, D.C. area, in March shut down many of its systems for several days to avoid the spread of malware suspected by some security experts to be ransomware.
To date, however, MedStar has not confirmed that the attack involved ransomware. In a statement to ISMG, a MedStar spokeswoman says, "MedStar Health did not make public statements about the nature of the malware, on advice of law enforcement and cybersecurity experts, and we are not making statements following the event. We did, however, confirm that we had paid no ransom of any kind."
As of Aug. 5, the cyberattacks on Hollywood Presbyterian, Methodist Hospital, Prime's hospitals, and MedStar were still not listed on the HHS breach tally, even though OCR recently clarified that most ransomware attacks are considered reportable breaches (see HHS: Most Ransomware Attacks Reportable Breaches).
EHR Vendor Breached
Meanwhile, a growing number of cyberattacks apparently tied to the breach of Bizmatics, a vendor of cloud-based electronic health records, are showing up on the federal breach tally. So far, nearly 20 covered entities have reported breaches to HHS or have sent out notification letters to patients informing them that their organizations have been victims of the cyberattack on Bizmatics. At least 280,000 individuals have been affected by those breaches so far, according to a tally of breach reports on the HHS wall of shame and patient notification statements from affected entities.
Among the entities recently notifying patients of a cyber incident involving Bizmatics is Uncommon Care, based in North Carolina, which reported on June 21 to HHS a hacking breach affecting almost 14,000 individuals.
Bizmatics has not responded to ISMG requests for comment on the cyberattack.