Hacker Attacks on Healthcare Providers Jump 600 Percent

The recent data breach at Community Health Systems, in which Chinese hackers stole the personal information of 4.3 million patients, was another sign of a disturbing trend that security researchers at Websense have been observing for months: Healthcare providers are coming under cyberattack at an alarming rate.

“We’ve seen a 600 percent increase in attacks on the healthcare sector in the last 10 months,” said Carl Leonard, senior manager at Websense Security Labs.

Much of the attack activity is aimed at hospitals. While those facilities contain information on the health of patients, the intruders often are interested in the same information they’re after when they pillage other venues.

“They seek to make a profit on these attacks,” Leonard told TechNewsWorld.

“The personal identifiable information that a hospital has is very valuable because it’s supplemented by links into insurance documents and bank accounts. It’s also a very complete picture of an individual such that identity theft can occur as well,” he added.

Heartbleed Link

Once they nick personal information, data thieves can sell it in the computer underground or exploit it themselves.

“Credit card information can be used to finance more cyberattacks,” Leonard said. “It can be used to set up a command-and-control server or buy cloud space.”

In the hacking world, success attracts net bandits like bottle flies to offal. That seems to be the case with the healthcare industry.

“Malware authors are getting successful at gaining a foothold in these organizations,” Leonard said. “Not all organizations in this space have the ability to roll out the latest and greatest security solutions to protect themselves.”

The mass theft at CHS has been linked to the Heartbleed vulnerability exposed earlier this year. If that’s the case, it just shows that healthcare providers were in the same boat as companies in other industries.

“Our analysis of the OpenSSL Heartbleed vulnerability is it affected all industries, not just healthcare,” Leonard said.

“The adoption of open source technologies broadly means that if vulnerabilities are discovered by cybercriminal gangs, then there is a very large attack surface that they can operate in,” he explained.

In the United States, great care is taken to control the sharing of personal healthcare information. That adds a bit of irony to the growing theft of such data.

“Your doctor can’t even discuss with someone else what’s wrong with you,” Robert Strang, CEO of the Investigative Management Group, told TechNewsWorld, “but we can have one individual download millions of records from healthcare systems.”

Good News for Email

Email providers appear to be making some progress in their efforts to protect users from bad actors. Agari’s TrustScore rankings increased by an average of 8 percent, quarter-to-quarter, in Q2.

TrustScore is a tool devised by Agari to measure how well 147 companies in 11 industries are protecting their customers from email cyberthreats.

In preparing a TrustScore, Agari looks at the highest-volume email sending domains for the companies covered in its report and then analyzes their implementation of email authentication standards — such as SPF, DKIM and DMARC — which together protect consumers from email cyberthreats.

In preparing the quarterly TrustScore report, Agari analyzes 6.5 billion emails a day. Scores range from 65 for the social media industry to 16 for the healthcare industry.

“Having 147 of the largest companies on the planet raising their aggregate metrics of protecting consumers from email harm by 8 percent is a huge leap forward,” Patrick Peterson, founder and CEO of Agari, told TechNewsWorld.

“If we can keep that momentum up, we will have a very different world in 2015 and 2016, as far as criminals using email to go after consumers,” he added.

Malmailers Target Travel

In addition to its TrustScore, Agari has developed a ThreatScore for the industries in its quarterly reports.

To determine a ThreatScore for an industry, Agari calculates the volume of spam and potentially malicious email purportedly sent by a company and compares it to other companies and sectors in its data universe.

Agari’s ThreatScore data showed that the travel industry is becoming a popular target for email threats, with its ThreatScore jumping 800 percent from first to second quarter.

Tightening of security in other industries, like finance and social media, is driving some of the bad traffic to travel, according to Peterson.

“When criminals encounter locked doors, they don’t give up,” he remarked. “They go looking for other places to attack that are more weakly secured, and that is travel.”

Breach Diary

  • Aug. 18. Community Health Systems, based in Franklin, Tennessee, reports in SEC filing that personal information of 4.3 million patients was stolen by Chinese hackers. Data included patient names, addresses, birth dates, telephone and Social Security numbers.
  • Aug. 19. University of Louisiana Monroe reports data breach may have compromised personal information of students who graduated from the institution in the fall of 2013 and spring of 2014.
  • Aug. 20. United Parcel Service reports data breach of point-of-sale systems at 51 stores in 24 states has placed at risk 105,000 customer transactions performed this year.
  • Aug. 20. Target, still staggering from massive data breach in 2013, lowers earnings expectations for second time this year to US$3.10-$3.30 from $3.60-3.90.
  • Aug. 20. FireEye Mobile Security reports that 68 percent of the 1,000 most popular Android apps in the Google Play store contain SSL vulnerabilities that can be exploited in “man-in-the-middle” attacks.
  • Aug. 21. Topeka (Kansas) Unified School District reports it has removed data on children from low-income families from platform where it was subject to unauthorized access.

Upcoming Security Events

  • Sept. 6-7. B-Sides Dubai. Move n Pick Jumeirah Hotel, Dubai. Free.
  • Sept. 8-9. The Privacy Security Forum: Protecting Data Assets and Managing Risks. The Westin Hotel Waterfront, Boston. Registration: $750, healthcare providers and payers; $950, all others.
  • Sept. 9-10. Detroit SecureWorld. Ford Motor Conference & Event Center, 1151 Village Road, Dearborn, Michigan. Registration: $695, two days; $545, one day.
  • Sept. 9-10. RSA Global Summit. Marriott Marquis, Washington, D.C. Registration: before Sept. 8, $745; online, $895; government, $545.
  • Sept. 12. Suits and Spooks London. Blue Fin Building, Southwick, London, UK. Registration: Pounds 200.
  • Sept. 13. B-Sides Memphis. Southwest Tennessee Community College, 5983 Macon Cove, Memphis, Tennessee. Free.
  • Sept. 13. B-Sides Augusta. Georgia Regents University, Science Hall, 2500 Walton Way, Augusta, Georgia. Free.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, California.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
  • Sept. 23. Linking Enterprise and Small Business Security to Shore up Cyber Risks in the Supply Chain. 11 a.m. ET. InformationWeek webinar. Free with registration.
  • Sept. 23-24. St. Louis SecureWorld. America’s Center Convention Complex, 701 Convention Plaza, St. Louis. Registration: $695, two days; $545, one day.
  • Sept. 23-24. APWG eCrime Researchers Symposium. DoubleTree by Hilton Hotel Birmingham, 808 South 20th St., Birmingham, Alabama. Registration: before Sept. 2, $400; after Sept. 1, $500.
  • Sept. 26. B-Sides St. John’s. Uptown Kenmount Road, St. John’s Newfoundland and Labrador. Free.
  • Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.
  • Sept. 29-Oct. 2. ASIS 2014. Georgia World Congress Center, Atlanta. Registration: exhibits only, free; before August 30, members $450-$895, non-members $595-$1,150, government $450-$895, spouse $200-$375, student $130-$250; after August 29, member $550-$995, non-member $695-$1,250, government $550-$995, spouse $200-$475, student $180-300; a la carte, $50-$925.
  • Sept. 29-Oct. 3. Interop New York. Jacob Javits Convention Center, New York City. Expo: free. Total Access: early bird (July 1-Aug. 15) $2,899; regular rate (Aug. 16-Sept. 26), $3,099; Sept. 27-Oct. 3, $3,299.
  • Oct. 1. Indianaoplis SecureWorld. Sheraton Indianapolis at Keystone Crossing. Registration: $695, two days; $545, one day.
  • Oct. 14-17. Black Hat Europe 2014. Amsterdam RAI, Amsterdam, The Netherlands. Registration: before Aug. 30, 1,095 euros; before Oct. 10, 1,295 euros; before Oct. 18, 1,495 euros.
  • Oct. 19-27. SANS Network Security 2014. Caesar’s Palace, Las Vegas, Nevada. Courses: job-based, $3,145-$5,095; skill-based, $1,045-$3,950.
  • Dec. 2-4. Gartner Identity & Access Management Summit. Caesers Palace, Las Vegas, Nevada. Registration: before Oct. 4, $2,150; after Oct. 4, $2,450; public employees, $2,050.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels