Healthcare Still in the Midst of Breach Season

Fall and winter are “breach season,” according to Dustin Hutchison of cybersecurity firm Pondurance.

“You think, people are shopping online more for the holidays, and then right after New Years it’s tax time,” he told Healthcare Analytics News™. “We see attacks socially engineered around those, like phishing masked as your tax info. People are in a hurry to get their tax information, so they’re more likely to click on a link.”

He said there’s a large uptick in the number of cyberattacks detected between November and February. “It’s very intentional on the bad guys’ side, they’ve done their homework and they know the best time to strike,” he added.

Healthcare has seen a rash of debilitating attacks in recent months. Oklahoma State University Center for Health Sciences noticed a breach that began in November and may have compromised hundreds of thousands of patients’ records. January’s AllScripts attack paralyzed key clinical applications for at least 1,500 small practices. And a week before that, Hancock Health in Indiana detected a ransomware attack that ended up costing them $47,000. After that incident, the hospital enlisted Pondurance to help advise their next steps.

Both Hancock and Allscripts suffered attacks from the SamSam malware strain. Hutchison’s colleague Landon Lewis said that the strain has appeared and disappeared in a cyclical manner, first appearing about 2 years ago and fading away for months at a time between resurgences. But it isn’t the only threat out there.

Lewis brought up other attack types that healthcare organizations should keep in mind. Botnet-based attacks like cryptocurrency miners are becoming more common, he said, and he wasn’t wrong. The interview was conducted on February 5^th. A few days later, reports began to emerge that Decatur County General Hospital in Tennessee had experienced such an attack, first detected by its electronic health records (EHR) vendor in late November.

Cryptocurrency mining attacks can compromise several computers within a network and use as little of their processing power as possible to slowly mine for bitcoin.

“The ransomware is an abrupt stop, right, like ‘You’re not working anymore, pay me,’” Hutchison said. “They want the bitcoin miner to go on forever, without detection: The organization continues normal operations while that bitcoin miner is in the background sucking up resources.”

The attack on Decatur General was not believed to have resulted in any patient data being compromised, the hospital told some 24,000 patients, but noted that it can’t yet confirm that.

An important thing that healthcare organizations must keep in mind, Hutchison said, is that they can always be hit. Practices often write off the risk, believing that they’re too small to be worth an attacker’s time, Hutchison said, which is a fallacy: The cost of running a cyberattack is so low that “everyone is a target.”

Prevention efforts ultimately fail, he said, and Lewis added that 3^rd party security applications can give businesses a false sense of security.

“Detection and response are going to be key,” Hutchison said. “Historically, users have been an entry into the environment, so continue security awareness training.” Consistently checking who has access to a network, and requiring strong passwords or even multi-factor verification to log in, can go a long way.