Stats & Trends
David Bisson
Jul 2018

Cyber Attacks Make July a Painful Month for Healthcare

healthcare-ransomware-cyber-attacks-2018

Photo by Pixabay

July 2018 was a rough month for the healthcare industry, and not because of the heat. Four high-profile cyber attacks caused major disruption and confirmed the industry continues to be a top target.

There’s no denying that healthcare organizations are a favorite target among digital attackers.

According to Verizon’s 2018 Data Breach Investigations Report, nearly one out of every four data breaches in 2017 affected healthcare organizations. In addition, a report from global cybersecurity insurance company Beazley found that the healthcare sector experienced the highest volume of ransomware attacks in 2017, with its proportion of attacks (45%) nearly four times that of the next most frequently targeted industries — financial (12%) and professional services (12%).  

Digital attackers have continued to prey upon healthcare organizations throughout 2018, with July being a particularly bad month featuring multiple attacks that made headlines.

July 9: Cass Regional Medical Center reports ransomware attack

  • Date of attack: July 9
  • Date of disclosure: July 9
  • Source of breach/infection: Ransomware delivered via RDP brute-force attack
  • Damage: One week with EHR offline, ambulances for trauma and stroke patients diverted

On July 9, Cass Regional Medical Center in Harrisonville, MO learned of a ransomware attack that infected its information technology systems. In particular, the attack disrupted the institution’s access to its communication infrastructure as well as those assets containing patients’ electronic health records (EHR). Cass Regional didn’t find any evidence suggesting the incident affected patients’ data. Even so, its EHR vendor decided to shut down the system until the medical learned more about the attack.

Cass Regional activated an incident response protocol within 30 minutes of detecting the attack. As part of those procedures, IT staff began working with law enforcement and digital security experts to learn more about the attack while patient care managers met to discuss how they could best continue to serve patients. Clinical leaders also decided to divert ambulances for trauma and stroke patients while the organization worked to recover from the infection.

The medical center brought its EHR system back online on July 16.

Learn how much ransomware really costs companies  

Get behind-the-scenes details from five real-life recovery operations. Download our eBook The True Cost of Ransomware.

July 10: Blue Springs Family Care reports ransomware attack

  • Date of attack: May 12, 2018
  • Date of disclosure: July 10
  • Source of breach/infection: Computer system compromise
  • Damage: Variety of other malware installed, possibly data theft of 45,000 patient records

On July 10, the U.S. Department of Health and Human Services’ Breach Portal received a report from Blue Springs Family Care about a ransomware infection it suffered earlier that spring. The attack, which was spotted by the Eastern Jackson County healthcare provider’s computer vendor on May 12, involved the installation of various malware onto Blue Springs’ computer systems. An undisclosed ransomware sample was among them.

With the help of forensic investigators, the healthcare provider found no evidence that those responsible for the attack had accessed patients’ data. But as it stated in a notice, it did learn that the initial compromise and subsequent malware installation would have granted attackers access to all its systems, including those on which nearly 45,000 patients’ personal and medical information was stored. The organization therefore said it could not rule out data theft.

Officials revealed they’ve installed new software on Blue Springs’ computer systems to monitor for instances of unauthorized access in the future. They said the healthcare provider will also begin encrypting all data at rest going forward, reported Healthcare IT News.

July 16: LabCorp reports ransomware attack

  • Date of attack: July 14
  • Date of disclosure: July 16
  • Source of breach/infection: Ransomware delivered via RDP brute-force attack
  • Damage: 7,000 systems and 1,900 servers infected

The Laboratory Corporation of America Holdings submitted a Form 8-K to the U.S. Securities and Exchange Commission on July 16. In it, the life sciences company reported that it had detected suspicious activity in its information technology systems over the weekend of July 13. LabCorp said it responded by taking certain elements of its LabCorp Diagnostics systems offline. These outages temporarily prevented customers in some cases from accessing their test results, though the company restored much of its testing operations on the date of its breach disclosure.

The statement went on to specify that LabCorp had not detected any indications of attackers misusing or exfiltrating data and that Covance Drug Development was safe from the incident. The Burlington-based institution didn’t provide additional details about the event, but as reported by Bleeping Computer, sources said bad actors gained access to LabCorp via RDP brute-force attacks and then installed SamSam ransomware on its system.  

July 20: Singapore’s Ministry of Health reveals massive breach

  • Date of attack: July 4
  • Date of disclosure: July 20
  • Source of breach/infection: Unconfirmed
  • Damage: Healthcare-related data for 1.5 million patients stolen

On July 4, the Integrated Health Information System (IHiS) detected abnormal activity on an IT database owned by SingHealth, Singapore’s largest group of healthcare institutions. Administrators responded by implementing additional security features and launching an investigation into the anomalies.

Less than a week later, IHiS confirmed that SingHealth had suffered a digital attack and that criminals had stolen some of its data between June 27 and July 4. The incident affected 1.5 million patients who visited SingHealth between May 1 and July 4. Among those whose information might have been compromised was Prime Minister Lee Hsien Loong, who had his personal details and medicine records “specifically and repeatedly targeted.”

Two days after learning of the digital attack, the healthcare group filed a police report. Local police were still looking into the matter at the time of publication.

Securing networks and reducing risk

Given the surge of healthcare attacks that made news in July 2018, it’s important that medical organizations take steps to protect their endpoints. Here’s some expert advice on the matter.

David Bisson

David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Senior Content Manager, Associate Editor for Tripwire's "The State of Security" blog, Contributing Editor for IBM's Security Intelligence, and Contributing Writer for Barkly, Palo Alto Networks' Security Roundtable, Gemalto, Venafi, Zix Corp, AlienVault, and others.

lock-white.png

Free eBook: The Essential Guide to Blocking Malware without a SOC

35 pages full of actionable advice on how you can sabotage attack chains and block infections before they start.

Get the guide

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.