1 | RESEARCH PAPER : 2016 Health Care Report Health Care Cyber Breach Research Report for 2016 December 2016 by TrapX Labs A Division of TrapX Security, Inc. © 2016 TrapX Security, Inc. All Rights Reserved. 2 | RESEARCH PAPER : 2016 Health Care Report Contents Notice ...................................................................................................................................................3 Disclaimer .............................................................................................................................................3 Executive Summary .............................................................................................................................4 Important Trends in 2016 .....................................................................................................................5 Medical Device Hijack (MEDJACK) ......................................................................................................6 Ransomware .........................................................................................................................................7 The Top Ten Health Care Cyber Attacks of 2016 ................................................................................8 #1 Banner Health ...........................................................................................................................................................8 #2 Newkirk Products, Inc. .............................................................................................................................................8 #3 21st Century Oncology ............................................................................................................................................9 #4 Valley Anesthesiology Consultants, Inc. ...................................................................................................................9 #5 Peachtree Orthopaedic Clinic ................................................................................................................................10 #6 Central Ohio Urology Group, Inc. (review) ............................................................................................................10 #7 Southeast Eye Institute, P.A. d/b/a Eye Associates of Pinellas .............................................................................11 #8 Medical Colleagues of Texas, LLP ..........................................................................................................................11 #9 Urgent Care Clinic of Oxford .................................................................................................................................12 #10 Alliance Health Networks, LLC ............................................................................................................................12 Analysis ..............................................................................................................................................13 Health Care Cyber Predictions for 2017 ...........................................................................................18 © 2016 TrapX Security, Inc. All Rights Reserved. 3 | RESEARCH PAPER : 2016 Health Care Report Notice TrapX Security reports, white papers, and legal up- Please note that these materials may be changed, dates are made available for educational purposes improved, or updated without notice. TrapX Security only. It is our intent to provide general information is not responsible for any errors or omissions in the only. Although the information in our reports, white content of this report or for damages arising from papers, and updates is intended to be current and the use of this report under any circumstances. accurate, the information presented herein may not reflect the most current developments or research. Disclaimer We have worked in strict confidence with health care data at a point in time during the year. Numbers institutions to remediate current and future cyber often change from the time of the original public attacks. Data referenced about health care breaches disclosure, to those released later, after considered due to cyber attack is based on government investigation, and, finally, when reported in required sources, our own research, and public third-party legal disclosures to the Department of Health and disclosures. We continue to believe that these Human Services Dept., Office of Civil Rights (OCR). numbers are conservative and under reported on a global basis. Our disclosed numbers represent © 2016 TrapX Security, Inc. All Rights Reserved. 4 | RESEARCH PAPER : 2016 Health Care Report Executive Summary 2016 has been a very difficult cyber year for health relatively new front, the rapidly emerging trend for care institutions. The volume and percentage of ransomware has increased substantially. Ransomware attacks has increased substantially. Moreover, the na- has risen to the forefront of attacks, and we expect this ture of the threat continues to diversify into a greater trend to continue. variety of complex attacks promoted by sophisticated and persistent human attackers. These attacks against As 2016 comes to an end, health care remains a major hospitals and medical target for cyber attackers. “The 2016 data indicates that the continued organizations are still driven Cyber attackers know that wave of cyber attacks impacting health care by the lucrative economic health care institutions’ institutions in the United States continues to rewards for organized crime. networks are highly vulnerable grow. Our research indicates that major1 health Medical records are among due to unprotected medical care cyber attacks reported in 2016 increased the most complete set devices and, hence, offer by 39%, to a total of 93 major attacks. This is an of records available and, attractive “low-hanging fruit.” increase from 36 major attacks in 2016. hence, are in demand for a So many millions of health variety of reasons. In context, sophisticated cyber attackers are care records have been stolen now responsible for 31% of all major HIPAA data that, incredibly, the value of The 2016 year-end health breaches reported in 2016. This is an increase of a health care record being care Cyber Breach Report approximately 300% over three years. In 2014, sold on the “dark web” shares data on all major cyber attackers were responsible for 10% of the appears to have decreased cyber attacks reported total major data breaches, and this increased in in 2016. Notwithstanding the between January 1, 2016 2015 to 21%. decrease in the value of stolen and December 12, 2016 in health care records, the ease the United States. Some of Sophisticated and persistent cyber attackers of access and the relatively these breaches may have are, in our opinion, the single greatest threat unprotected flanks of health been ongoing prior to the to the protection of patient-health care data, care networks will continue to start of 2016, but to retain critical health care operations and, ultimately, be a prime target in 2017. consistency we used only present a direct physical risk to patients.” the official reporting dates Data sources for this report Moshe Ben Simon include the HHS OCR portal; to the HHS OCR that fall Co-Founder and Vice President, TrapX Security within 2016. publicly released information 1 Major cyber attacks in health care as defined as those cyber attacks that resulted in data breaches that impacted over 500 patients. - TrapX Labs Research Team by the impacted parties; TrapX This report will also review Labs research, predominantly and examine trends that on confidential case studies; have emerged in 2016, and and other Internet-based then align those trends with our predictions for 2017. information sources. For purposes of this report only, Trends are important because they help us under- we define the “major cyber attack health care data stand how our defenses must continue to change to breaches of 2016” as those reported in 2016 to HHS meet the cyber threats that target our health care OCR under HIPAA as data breaches impacting more system. A trend from 2015, medical device hijack than 500 patient records and categorized as IT hacking (MEDJACK), continues to accelerate through 2016 (cyber attacks) by the reporting party. and into 2017. The lack of new technologies and associated best practices make it very difficult for hospitals to detect and remediate threats. On a © 2016 TrapX Security, Inc. All Rights Reserved. 5 | RESEARCH PAPER : 2016 Health Care Report Important Trends in 2016 There are many key facilities in health care that fall approximate 5,627 1 hospitals in the United States into the focus of targeted cyber attacks in 2016; to a number that may be as high as 16,500 hospitals they include hospitals, skilled nursing facilities globally. 2 (SNFs), ambulatory surgical centers (surgi-centers), MRI/CT scan facilities, diagnostic laboratories, urol- Two key trends have emerged across this base with ogy centers, physical therapists, physician practices, absolute clarity in 2016: the continual discovery and more. These facilities are almost always Internet and evolution of medical device hijack (MEDJACK connected and may share common electronic and MEDJACK.2) and the escalation of ransomware medical record/health systems (EMR/EHR). With across a broad mix of targets. This is evidenced by more than 900,000 physicians; 225,000 practices; compliance reporting published by HHS OCR and and over 2,700,000 registered nurses,