Whether you work in cybersecurity at a hospital or a company that provides health insurance, your data has either been targeted by hackers or will be. Cybercriminals have been attacking the health care industry more than any other, including companies in the retail industry and defense contractors.
- 2015 was a banner year for health care breaches, according to a report issued by IBM which called it the "year of the health care breach."
- Of the eight largest breaches in the health care industry since 2010, five occurred in a six-month period in 2015.
- The breach at Anthem exposed the records of as many as 78 million people, the worst of 2015 as well as the worst health care hack of all time in the United States.
- At Premera Blue Cross, 11 million people were affected by a hack.
- 10 million people were affected by an attack on Excellus Health Plan Inc.
Although 2015 was certainly a record-breaking year for health care hacks, 2016 was no kinder.
- Analysts are calling the Banner Health data breach the ninth-worst ever of its kind after an estimated 3.7 million people had their personal information exposed.
- The Brookings Institution predicted that 25 percent of all data breaches during 2016 would involve the health care industry.
- California's Hollywood Presbyterian Medical Center suffered a ransomware attack that forced the hospital to revert to paper records and fax machines for a week. Ultimately, the hospital paid approximately $17,000 in bitcoins to ransom their files.
Accenture projects that over the next five years, hospital will lose over $305 billion as a result of cyberattacks. These attacks will compromise the personal data of one in 13 — almost 8 percent — of American patients.
What Makes Health Records So Attractive to Hackers?
Although it is true that some hackers are politically or socially motivated, most cybercriminals are seeking profits. On the black market, financial records — credit card numbers, bank account credentials and Social Security numbers — sell for approximately $1 each. Financial records typically contain little personal data; dates of birth, current employers' information, marital status and similar information is usually not found within the records stolen from a retailer, for example. Furthermore, victims often realize that their information has been stolen in a relatively short time; they may notice that their bank account has been drained or their credit card provider may question unusual activity. Hackers profits can typically not exceed the balance in the bank account or the card's credit limit. This limits both the "shelf life" and the relative value of the data.
In contrast, health care records sell on the black market for approximately $75 each as they contain a wealth of information that can be used in a variety of ways. A patient's typical record will contain his or her address, phone number, employer's name, Social Security number, spouse's name, spouse's employer and medical history. With this information, crooks have access to the information they need to steal the patient's identity to obtain an "official" ID, obtain prescription drugs to resell at a profit or even blackmail a public figure who does not want a medical condition made known. Advanced gangs of cybercriminals have been known to establish phony provider accounts to bill government agencies and insurance companies for "treating" the patients whose information has been stolen.
The Cost of a Health Care Breach
Regardless of the industry, data breaches are difficult and costly to remediate. However, it can be especially expensive for those in the health care industry. The IBM study found that the average cost across all industries was $158 per compromised record, but in the health care industry, the cost was more than twice that, averaging $355 per compromised record.
Why the Health Care Industry Is Particularly Vulnerable
Simply being a desirable target is not enough to explain why hackers seem to have a relatively easy time succeeding with attacks on the health care industry. Other factors have contributed to the industry's vulnerability.
- As a group, the health care industry is woefully behind the times when it comes to cybersecurity. For example, approximately 20 percent reported that they do not use any type of encryption for their data and only 31 percent stated that they make extensive use of data encryption.
- Health care providers are not cybersecurity experts. They often do not take the proper steps to train employees about potential risks, so many breaches or malware infestations occur when an employee opens an infected email or follows a malicious link to respond to a phishing attempt.
- The Patient Protection and Affordable Care Act, commonly referred to as Obamacare, forced many providers to transition to electronic health records before they could make the necessary investment in security. The industry has been forced to concentrate more on compliance than on securing their data.
- Health care providers often have a large threat service that involves third-party providers or connections. For example, Massachusetts General Hospital suffered a breach after a vendor providing software for dental practices was hacked. Prior to the breach exposing health records, Banner suffered at least two breaches that affected those who had purchased food or beverages from the cafeterias and snack outlets operated by the health system. Although Banner has not divulged the method that the hackers used to access the health records, some analysts have speculated that the POS system may have provided a back door into the network.
How to Protect Yourself
Cybercriminals are becoming increasing adept at circumventing basic security measures. Instead of dealing with amateurs, you are now faced with highly trained professionals who are also highly motivated. Some are state-sponsored hackers with large budgets and plenty of time, while others are well-organized criminal gangs. However, this does not mean that you should simply surrender and accept a breach as inevitable.
- Ensure that employees are trained to recognize and avoid phishing attempts, taught that they should not open suspicious emails and instructed that they should not insert a portable memory device of unknown origin.
- Early detection is critical. You must also have an incident response plan that can be initiated quickly to contain potential damage.
- Encrypt your data. The IBM study found that companies using extensive data encryption saved an average of $13 per record when a breach occurred.
- Establish an incident response team and make sure that they participate in training exercises so that they know precisely what to do if a breach occurs. IBM reported that companies with incident response teams saved an average of $16 per record after a cyberattack.
If you need help putting the "security" back into your security operations center, contact Demisto Enterprise. We can help you with incident detection and response without breaking your budget.