A Year in Review of Healthcare Cybersecurity Developments and Trends

In March 2016, HIMSS issued Volume 1 of the HIMSS Healthcare Cybersecurity Environmental Scan Report (now called the “Healthcare and Cross-Sector Cybersecurity Report”). Around this time, numerous public reports surfaced with regard to major hospitals suffering ransomware attacks. Ransomware attacks continue to grow, and the ransomware variants and trends have been tracked in our subsequent reports. Not only have we included information about the various ransomware threats, but we have also provided information on ransomware decryptors and other helpful resources across all of our Healthcare and Cross-Sector Cybersecurity Reports.

In April 2016, we highlighted the problem of business e-mail compromise (“BEC”) in Volume 2. In this scheme, criminals use spear phishing, as a means to lure the victims (via e-mail) into fraudulently wiring significant sums of money. BEC is not new and, according to the Internet Crime Complaint Center (IC3), the combined exposed dollar loss is in excess of $2 billion with well over 10,000 victims in the United States.

In October 2016, we explored business e-mail compromise more in depth: discussing how it is and how it works in a blog post.

In November 2016, media outlets reported news of an international BEC scheme targeting 17 US, 10 UK, and 8 Canadian healthcare organizations. According to these media reports, on average, each employee who was targeted by the BEC scheme transferred total of $140,000 to the cybercriminal. This example is a reason why keeping current with cybersecurity developments and trends is important for your organization. The information you (or your staff) learns and takes action on will enable you to stay ahead of the threats that are out there. In the case of BEC, an ounce of prevention (through awareness training of workforce members on BEC) can go a long way.

In May 2016, patient safety and cybersecurity was the major focus of Volume 3. While this topic is still very important (and will continue to be for the foreseeable future), we also highlighted the insider threat problem in this report. There are malicious insiders and negligent (and usually well-meaning) insiders. Insiders are those with trusted access (and who may or may not have physical access) to your organization’s IT assets.

While the negligent insider threat may be mitigated through awareness training, policies, and sanctions, the malicious insider threat can be problematic—unless you know what to look for and who to contact if you suspect such a problem (namely, a malicious insider threat actor, who may be a consultant, employee, intern, or other individual with trusted access). Moreover, especially in the case of malicious insiders, we reported in Volume 4 that external actors have recruited insiders to provide sensitive or proprietary information for financial gain, espionage, and other ends.

In October 2016, we released information on the Mirai and Bashlite botnets in Volume 5 and the distributed denial of service threat. Indeed, we mentioned that the source of Mirai had been released in the wild, available on a popular public repository site. Just a few days later after the publication of Volume 5, the distributed denial of service attack on Dyn had occurred (and was quickly responded to and mitigated by Dyn). We informed our HIMSS members about what had happened in a blog post on the topic.

In November 2016, we highlighted banking Trojan activity (e.g., Dyre) in light of the anticipated threat to the health sector. We also highlighted the risks associated with supply chain security and the possibility that a vendor may unwittingly distribute Trojanized software with its official distribution packages. By a similar token, we also highlighted more banking Trojans in our December 2016 report (e.g., Panda Banker, Shifu, MidasBot, GozNym, Sphinx, and Corebot that are reported to be active around the world). (It is not uncommon for criminals to use the same or substantially similar tactics, techniques, and procedures, if successful—irrespective of the sector.)

In January 2017, we highlighted the insecurity of the Internet. Many websites are still secured with an outdated SSL v2 protocol. A frequent misconception in the health sector is that if it is encrypted, it is secure. This is a myth—we need to ensure that our security protocols current (and implement them correctly too).

Now, at present, we see no evidence that these threats are slowing down. What we need is more healthcare organizations staying ahead of threats and perhaps, most importantly, more people within healthcare organizations achieving cybersecurity literacy.

Cybersecurity should not (and is not) just for IT security staff. Rather, cybersecurity for the rest of us needs to be clear and present. “

For these reasons, we encourage you to further your knowledge about cybersecurity—not just for the benefit of your organization (and yourself), but also (and especially) for your patients.


privacy and security; healthcare; hacking; cybersecurity