Zffoto - stock.adobe.com

Cyber Threats Behind the Biggest Healthcare Data Breaches of 2019

Ransomware saw a resurgence in 2019, which disrupted patient care across the US. But third-party vendor breaches and phishing caused some of the largest healthcare data breaches of 2019.

Healthcare faced some of the biggest data breaches of recent history in 2019, as hackers shifted tactics to increase the success rate of financially motivated attacks. At the start of last year, trojan malware even topped ransomware as the biggest hacking threat to the sector.

But by the year’s end, ransomware dominated the headlines, disrupting patient care across the US. The rapid increase in the severity of the threat spurred several alerts and guidance from a host of stakeholders, including Microsoft, the Office for Civil Rights, and security leaders.

By mid-2019, Protenus calculated that hackers had already breached 32 million patient records. And 88 percent of those security incidents were caused by hacking. In total, threat detections on healthcare endpoints increased by 60 percent, according to Malwarebytes. Those breaches are expected to cost the sector $4 billion.

Over the year, several breaches impacted up to millions of patients, caused by insiders, phishing, third-party vendors, and hacking.  And while ransomware may not necessarily cause actual data breaches, the disruptions to patient care make it one of the biggest threats to the healthcare environment.

Third-Party Vendors and Business Associates

The American Medical Collection Agency breach was by far the biggest of 2019, impacting at least 25 million patients. The notification was first made public through a Securities and Exchange Commission filing in June, prompting several investigations and lawsuits.

Patients of Quest Diagnostics, LabCorp, BioReference, and Clinical Pathology were included in the list of victims that claimed more than two dozen providers. In the end, AMCA filed for Chapter 11 bankruptcy given the costs of the eight-month hack.

Vendors and other business associates were behind some other major breaches last year, including Vitagene, LifeLabs, Zoll Services, Wolverine Solutions Group, and health administrator Inmediata Health Group.

In the first half of 2019, vendors were behind 26 security incidents. However, Protenus researchers found that business associates and other third parties struggled with hacking more than any other covered entity. In fact, 45 percent of BA breaches were caused by an outside hack.

Many providers struggle with third-party vendor risk management, as healthcare relies heavily upon a wide range of vendors to maintain care services. Ponemon Institute and Censinet research found it costs the sector $3.8 million to manage third-party vendor risk, more than the $2.9 million it costs to recover from an attack.

“Enforcement of non-compliance with security requirements is the control practice most often fully deployed. Vendor management risk controls are considered important but not considered very effective,” according to the report.

Censinet CEO Ed Gaudet told HealthITSecurity.com, at the time of the report, “Third-party risk is systemic in healthcare, and you would think with amount of investment in cybersecurity increasing in the sector that the trend would see the number of breaches going down.”

Inventory and vendor management are crucial to securing third-party relationships, including the need to hold vendors accountable.

Phishing Attacks

One of the largest breaches of the year impacted 645,000 patients of the Oregon Department of Human Services. The government agency was targeted with a massive phishing campaign that compromised more than 2.5 million emails, after nine employees responded to the malicious email.

In February, UConn Health reported a similar incident impacting 326,629 patients. By September, phishing attacks on the sector were reported at a high frequency. Targeted phishing attacks became much more common, as hackers increased the sophistication of their phishing campaigns.

By July, phishing attempts evading security had increased by 25 percent. The use of compromised email accounts for lateral phishing attacks rapidly increased, as well. The FBI, Europol, Microsoft, and others also released insights as the success of the attack method increased.

According to Google, the success of these phishing attacks is based on the targeted nature that relies on human instinct. The tech giant blocks more than 100 million phishing emails each day.

To combat this, organizations should deploy technology to stop malicious emails from arriving in the inbox, such as multi-factor authentication. Further, studies have shown employee training and education drastically reduces the risk posed by phishing.

Insiders

Healthcare employees were the root cause of the majority of healthcare data breaches during the first half of 2019. Egress found that about 63 percent of those breaches were caused by human error: 43 percent due to incorrect disclosure and 20 percent by posting or faxing data to the wrong recipient.

Considering insiders are also behind the effectiveness of phishing campaigns, employees have caused many of the biggest breaches in healthcare.

“All too often, organizations fixate on external threats, while the biggest cause of breaches remains the fallibility of people and an inherent inability of employees to send emails to the right person,” Tony Pepper, Egress CEO, said at the time.

“Not every insider breach is the result of reckless or negligent employees, but regardless, the presence of human error in breaches means organizations must invest in technology that works alongside the user in mitigating the insider threat,” he added.

For example, the UW Medicine breach reported in February was caused by an employee error. The data of about 947,000 patients was exposed for three weeks due to a misconfigured server that made internal documents publicly accessible.

OCR recently shared guidance on how to manage the threat of malicious insiders. And in the past, the agency stressed that identity access management controls and policies can also reduce the risk posed by insiders.

Ransomware

By the end of the year, Emsisoft found that 764 healthcare providers fell victim to ransomware, including two of the largest healthcare breaches in 2019: Wolverine Solutions Group and Columbia Surgical Specialist of Spokane.

Many security researchers have noted that it’s unlikely ransomware hackers are looking for patient data when deploying the malicious malware, rather they’re looking to disrupt services to leverage a ransom from victims. But given two providers permanently closed in 2019 after falling victim to ransomware, several more reporting data loss, and a host of providers reporting care disruptions from the threat, ransomware remains one of the largest threats to patient data – and their safety.

“The incidents were not simply expensive inconveniences; the disruption they caused put people’s health, safety and lives at risk,” researchers wrote. “Emergency patients had to be redirected to other hospitals. Medical records were inaccessible and, in some cases, permanently lost.”

“The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020. Governments and the health and education sectors must do better,” said Fabian Wosar, Emsisoft chief technology officer, said at the time.

Much of healthcare’s struggles with the threat stem from a lack of resources and gaps in security planning. As security leaders warn these attacks will only get worse in 2020, it’s crucial providers improve their emergency planning now.

Dig Deeper on Cybersecurity strategies