Hacking Incidents are Quickly Discovered, But Insiders Go Undetected

A report on healthcare data breaches in July and August finds that while hacking incidents are quickly detected, insider breach incidents continue to go unnoticed, which can have a significant impact on healthcare organizations and patients.

There were 33 breach incidents in August that we either disclosed to the U.S. Department of Health and Human Services (HHS) or the media, according to the latest findings from Protenus, which constructs a “Breach Barometer” report each month. The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.

The number of breach incidents, 33, is slightly down from July, which had 36, and June, which had 52 reported breach incidents in the healthcare sector.

For the 31 incidents for which Protenus had numbers, 673,934 patient records were affected. The largest single incident for which Protenus had numbers involved 266,123 patient records in a hacking incident that involved ransomware.

The shift in health data breaches first mentioned in the July Breach Barometer continues through August, with hacking incidents outweighing insider incidents in both frequency and the number of patient records affected. In August, healthcare experienced 18 hacking incidents, accounting for 95 percent of all breached patient records. Protenus reports that there were five incidents that specifically mentioned ransomware as the cause of the health data breach. One organization experienced two phishing attacks in as many months.

In August, insiders were responsible for 27 percent of breach incidents. Seven of the reported insider incidents were the result of insider-error, Protenus reports, and two of the reported insider incidents were the result of insider-wrongdoing. “In one case, an organization that suffered a hacking incident also ended up suffering from an insider incident during the notification process. The notification letters that included sensitive information were sent to the wrong recipients, creating another breach altogether,” the report authors wrote.

Also of note in the August report, it took an average of 138 days (median = 31 days) for healthcare organizations to discover a breach had occurred. It’s important to note that the mean and median are drastically different given the extreme range of the data, noted the Protenus report: some entities discovered a breach immediately, while one incident went undiscovered for almost two years, a result of insider-wrongdoing. This breach affected 4,721 patient records and went completely unnoticed until the breach was reported to the healthcare organization, according to the Protenus report.

At first glance, it appears that there is an emerging trend that health data breaches are taking significantly less time to discover. However, further analysis by Protenus suggested that the decreasing time to discovery may simply be an artifact of the recent uptick in hacking incidents. For the month of August, time to discover a hacking incident took an average of 26 days (median = 22.5 days), while insider incidents took an average of 209.8 days (median = 115 days). Generally, hacking incidents are discovered much sooner than insider incidents because of the disruption to the organization’s daily operations.

“This should serve as a reminder to healthcare organizations that while hacking can create a large splash due to the large number of affected patient records in one incident, it is the insider threats to patient data that can go undetected for extended periods of time. This is often the case because insiders have legitimate access to the EHR and ancillary systems. Advanced analytics are necessary to fully understand how patient information is accessed so that when a breach occurs, it can be detected, mitigated, and resolved as quickly as possible,” the report authors wrote.

Drilling down into outside hacking incidents, Protenus also reports that researchers are reporting a resurgence of attacks on unsecured MongoDB installations and Rsync backup devices that are resulting in these devices being wiped out or ransomed. “While it is unclear how many of breached installations or servers contained health or patient data, this should remind healthcare organizations to check configuration settings and test the security of all backup servers and devices,” the report authors wrote.

At the same time, extortion demands and non-automated ransom demands continue to plague the healthcare industry, although in many cases, media reports and HHS reports make no mention of the extortion component. Protenus cites one example in which there was an incident first disclosed in August by a covered entity that involved an attack by TheDarkOverlord (TDO), but the public disclosure did not include reference to the associated extortion attempt.

What’s more, DataBreaches.net is also aware of another group of blackhat hackers who have attempted to extort a healthcare entity. Protenus notes that the entity reported the incident to HHS, but there wasn’t a report of the extortion attempt or the fact that the hackers have already dumped approximately 10,000 patients’ records as part of applying pressure to the entity to pay the extortion. “This information reinforces that the HHS tool does not provide the full picture of how health data breaches are truly affecting healthcare,” the report authors noted.


Leave a Reply