Image Courtesy: Rackspace
It is no secret the number of cyber-attacks is on the rise. As more time goes by, cyber criminals are becoming more sophisticated with nature of attacks. So, we always need to stay alert on this issue as our dependency over technologies is increasing day by day. Usually financial sector, along with energy and national defense sectors, is most affected one from this phenomena. NOW the attackers have been increasing their focus towards HealthCare Industry!
Year 2015 was called “Year of the health-care attack” By Washington Post. Among other major incidents, security breach of Anthem, the second largest health insurer was the biggest one. Data of 80 million people was lost in the process. Other major data breaches happened the same year among institutions like Premera BlueCross (11 million records compromised!) and Excellus BlueCross BlueShield (10 million records compromised!).
In year 2016, it certainly didn’t get any better!
In February, A Medical Center in California was hit by ransomware, which forced the hospital to shut down all of its computers and depended on fax machines and paper records for a week.
Rather than lose all its patient medical records, the hospital decided to bite the bullet and paid the ransomware crooks 40 bitcoins, or about $17,000, to restore the hijacked files.
According to the Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data by the Ponemon Institute published in 2016, breaches in healthcare are costing the industry $6.2 billion per year.
According to Moshe Ben Simon Co-Founder and Vice President, TrapX Security-
“The 2016 data indicates that the continued wave of cyber-attacks impacting health care institutions in the United States continues to grow. Our research indicates that major health care cyber-attacks reported in 2016 increased by 63%, to a total of 93 major attacks. In context, sophisticated cyber attackers are now responsible for 31% of all major HIPAA data breaches reported in 2016. This is an increase of approximately 300% over three years. In 2014, cyber attackers were responsible for 10% of the total major data breaches, and this increased in 2015 to 21%. Sophisticated and persistent cyber attackers are, in our opinion, the single greatest threat to the protection of patient-health care data, critical health care operations and, ultimately, present a direct physical risk to patients.”
In 2017, personal health data of 918,000 seniors was posted online for months, after a software developer working for HealthNow Networks uploaded a backup database to the internet, an investigation by ZDNet and DataBreaches.net found. On another instance, an attack on San Antonio-based ABCD Children’s Pediatrics resulted data breach of 55,447 patients. Affected files may have included patient names, Social Security numbers, insurance billing information, dates of birth, medical records, laboratory results, procedure technology codes, demographic data, address and telephone numbers.
There are many more. But I think it’s enough to make someone understand what is going on with Healthcare industry regarding security and its impending future.
So let’s focus on why attackers are targeting healthcare industry?
“Electronic health records are 100 times more valuable than stolen credit cards,” said James Scott, co-founder and senior fellow at the Institute for Critical Infrastructure Technology (ICIT) in Washington D.C.
“With credit cards, the money is insured. If the bank is FDIC-backed, most people who have their credit card numbers stolen would not actually lose the money. The bank makes up the difference,” Scott said. “But with electronic health records, the reason that hospitals and insurance companies are such a big target, first, is because of the payoff.”
A single Medicare or Medicaid electronic health record can fetch a $500 price tag on dark web forums, Scott said. Experian, the global information service, estimates that health records are worth up to 10 times more than credit card numbers on the black market.
“If you purchase 100 electronic health records, you have everything for each of those people — social security number, all the addresses, their kids, their jobs,” Scott said. “Malicious actors want as much intelligence as they can get, and health care is the easiest attack surface for seasoned and non-seasoned hackers.”
IBM explained the situation perfectly
[Health records] typically contain credit card data, email addresses, social security numbers, employment information and medical history records – much of which will remain valid for years, if not decades. Cyber thieves are using that data to launch spear-phishing attacks, commit fraud and steal medical identities.
The healthcare sector is also an appealing target for cyber criminals because the industry’s approach to cyber security is behind the times.
Here is the result of a survey conducted by Sophos.com.
Furthermore, according to BSIMM (The Building Security in Maturity Model) 6 study published in October, healthcare organizations scored lowest, only ahead of consumer electronics industries, when it comes to securing their applications.
“In the last six years of conducting this study, it’s clear that efforts to safeguard patient data are not improving. More healthcare organizations are experiencing data breaches now than six years ago,” said Larry Ponemon, chairman and founder, Ponemon Institute. “Negligence—sloppy employee mistakes and unsecured devices—was a noted problem in the first years of this research and it continues. New cyber threats, such as ransomware, are exacerbating the problem.”
While attacks from cyber criminals are the leading cause of data breaches but they aren’t the only cause. Silly mistakes like unintentional employee actions, third-party snafus and lost/stolen computer devices are also major causes behind these data breaches.
To minimize the security threat first and foremost one should implement the mentioned points in one of our earlier article.
Apart from that, ensuring continuous monitoring of your organizations whole network and security perimeter along with third parties you share sensitive information with, can be invaluable for detecting and preventing major security incidents, and also minimizing the damage when a successful breach occurs.
If you plan to enhance your security furthermore, you may want to have a look at HIPAA Compliance which is followed in the United States. Even if you are outside of US, you can follow this standard to ensure information security in health sector.
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.
For further information on these matters, please don’t hesitate to contact with us.