The Next Data Breach: Coming to a Hospital Near You, Part 1

Posted on April 13, 2016

By: Mike Grzesik, Infrastructure Security Specialist

These could become all too familiar stories from this year when we take a look back this next December.  And this isn’t Hollywood or Bollywood, it is real.

January 2016: The Iowa City Press-Citizen reports that a computer virus that is designed to capture personal data infected some computers in January at Mercy Iowa City and Mercy Clinics.

February 2016: Hollywood Presbyterian Medical Center in Los Angeles, fell victim to hacker demands and paid $17,000 in bitcoins to get their encrypted data back after a “ransomware” attack.

March 23, 2016: A Henderson, Kentucky hospital went to an internal state of emergency following an attack by cybercriminals.  Methodist Hospital was the victim of a ransomware attack in which encrypted data files were being held hostage.

March 28, 2016: A virus infected the computer network of MedStar Health, forcing the Washington D.C. healthcare facility to shut down its email and vast records database at 10 hospitals and 250 outpatient clinics.  Hospital staff had to revert to seldom-used paper charts and records to do business.

January. February. March.  These “ripped from the headlines” medical stories are the next big hacker target war stories.  These high-profile cases are not just in the United States.  Royal Melbourne Hospital in Australia was taken down in January by a virus, mainly because the hospital was still running on computers using Windows XP.

There are three factors at play here: the high price for patient medical data paid on the open market; the nature of the latest attacks, namely “ransomware”; and the lack of security that still exists on today’s computer networks.

In 2015, the Ponemon Institute and IBM released an annual report on the cost of a data breach.  Not only did the total cost for a “hacked” business go up from $5.8 to $6.5 million dollars.  The report revealed that not all records stolen have equal value.  Healthcare (i.e. patient data) records have an average cost of $398 per record, where retail records (i.e. consumer credit cards) cost $189 each.  That’s a very large gap from a steal-and-sell perspective.

Then there is the nature of the attack, which became hack d’jour in 2015, and quickly morphed into the term known as “ransomware”.  It goes something like this: a user receives an infected email that looks like it has a legitimate document as an attachment.  The user clicks on that attachment to open it, and launches computer code inside the file that goes on to the Internet to download more malicious files.  Once installed on the user’s computer, the malicious files start to encrypt the data on that computer so the data is locked up.  Once that computer is done being encrypted, the virus moves to other computers and file servers on the network and starts encrypting those files, which are also locked up.  The only way to unlock everything?  Pay a “ransom” to get the unlock key from the hackers.  Very nifty, very real and very destructive.  If the files can’t be decrypted, because you don’t pay the ransom, they are lost forever.  The only way to recover the files: computer data backups.

This scenario played out thousands of times at companies throughout 2015, and many more times than that on individual computers around the world last year.  People did pay to get their files back.  And in the case of the Los Angeles hospital in January, the cost of $17,000 USD in bit coins (a form of Internet currency, currently valued at $415 U.S. dollars per unit), was a small price to pay to get the data back.

Not only is the cost of a data breach rising. The hacks are getting more sophisticated, and the number of incidents at hospitals is rising as well.  Every corner of a hospital organization takes in sensitive information every day of the week.  In the past, senior executives and boards of directors may have been able to tolerate the risk posed by cyberattacks.  But this isn’t about the Sony Pictures and JPMorgan Chase hacks from 2014.  These are medical facilities that are legally responsible for HIPPA and HITECH (Health Information Technology for Economic and Clinical Health Act of 2009) laws, not Payment Card Industry (PCI) standards.

In my next post, I’ll provide an update on these latest hospital hack attack stories.  And I’ll also look at how these cybersecurity incidents can be prevented.

Announcements | Blog | Security