FBI Warns Health Care Industry – Target for Cyber Attacks
- BannerHealth (3.6M records),
- Newkirk Products (3.4M records),
- 21st Century Oncology (2.2M records), and
- Valley Anesthesiology Consultants (0.88M records.)
The largest known cyber attack on a large hospital system occurred in 2014, when Community Health Systems was the target of a criminal cyber attack that originated in China and used highly sophisticated malware and technology to attack the Company’s systems. The data that was stolen included such sensitive data as patient names, addresses, birth dates, telephone and social security numbers. The attack was considered a breach under the Health Insurance Portability and Accountability Act of 1996 (HIPAA.)
The FBI has warned the health care industry that it is not as resilient to cyber crimes as compared to other business sectors. Medical devices often contain proprietary information and technology, making them an additional target for cyber criminals. The FBI has observed malicious attacks targeting health care-related systems, perhaps for the purpose of obtaining protected healthcare information and/or personally identifiable information.
The health care industry was targeted in the June 2017 ransomware attack that impacted major corporations across the world. Merck, one of the largest drug makers in the U.S., reported that they were infected by the malware, as was Heritage Valley Health systems, a health care network that runs two hospitals in Western Pennsylvania. At least one surgery had to be postponed due to the attack.
Cyber criminals are looking to exploit the vulnerabilities that are often the result of offering life-critical services while working to improve treatment and patient care with new technologies. The threats range from malware the compromises the integrity of systems and privacy of patients to distributed denial of service (DDoS) attacks that disrupt facilities’ ability to provide patient care.
Other sectors that provide critical infrastructure services are targets of cyber attacks as well, but the health care industry is especially vulnerable due to the nature of the health care industry’s mission. So far, the following types of breaches have been known to occur in the healthcare sector, including:
- data breaches
- DDoS attacks
- insider threats, and
- business email compromise and fraud scams.
Health care organizations need to develop and implement the following types of protections to help mitigate their risk, including computer information systems that:
- are always ready to assess and take action on cutting-edge information in order to identify vulnerabilities and reduce the window of opportunity for attackers.
- properly back up critical information using proven methodology for timely recovery.
- prevent data extraction, mitigates the effects of data theft, and ensures the privacy and integrity of sensitive data.
- develop processes and tools that will prevent access to critical assets.
- actively manage the life cycle of system and application accounts in order to minimize hacking opportunities.
- develop and execute an internal integrated plan to assess, identify gaps and make remedies through policy, organizational planning, training and awareness programs.
- protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure.
Cyber incidents are now a part of our way of life. Even large, well-funded, and technically-sophisticated organizations struggle to keep up with the frequency and complexity of cyber attacks. The question of a successful attack is not “if” but “when.” The health care insurance experts at Marsh & McLennan Agency (MMA) are poised and ready to assist your organization with all aspects of healthcare business liability, including cyber risk. Connect with MMA health care insurance expertise here to create a program that’s right for you.