Attackers Shift Sights From Retail to Health Care in 2015

During the holiday season just a few years ago, major retailers were in a panic responding to countless attacks from cybercriminals targeting their highly coveted customer credit card information. It’s likely that you were personally impacted by those high-profile breaches, or if not, you know someone close to you who was.

IBM’s X-Force security researchers analyzed data from the first 11 months of 2015 and have identified some interesting shifts in criminal behavior. Surprisingly, companies are reporting significantly fewer compromised retail records in 2015, down 96 percent from 2013. Comparing 2014 to 2015, there’s a 92 percent decrease — we’re currently at a four-year low, with only 5.7 million compromised records reported.

What Is Prompting This Change?

For starters, cybercriminals are extremely sophisticated. They go where the valuable data is. While it’s true that retail information is valuable, the expiration date starts ticking immediately as banks focus on detecting and shutting down compromised cards. That’s why it’s no surprise we have seen a dramatic shift as attackers focus on an even more valuable target: health care records.

In 2015, there was a tremendous uptick in the theft of health care data. We have seen a 1,166 percent increase in reported health care records breached from 2014 to 2015. In fact, nearly 100 million health care records were compromised in 2015.

There are 321 million people in the U.S., so this equates to roughly 1 in every 3 people in the country, which is actually where the majority of the health care records were stolen.

Why the Shift From Retail?

  • Attackers have modified their tactics. They’re not targeting the major retailers anymore. Rather, IBM’s researchers have seen an increase in attacks targeting smaller retailers, including convenience stores, pawn shops and other shops that don’t have the same resources to detect breaches. These attacks often go undetected for a very long time, lowering the number of compromised records reported.
  • Retail data expires. Credit cards can be easily turned off and reset to protect customers, leaving criminals empty-handed after their initial data theft haul.
  • Retailers have been making strides in security. The high-profile breaches have provided incentive for retailers to adopt more stringent security standards. They still have work to do, like implementing (and turning on) EMV readers for chip-and-PIN cards, but they are moving in the right direction. It’s important that retailers don’t let their guard down and constantly look for ways to improve their security posture and lower risk.

Why Is Health Care Hot for Criminals?

  • It’s highly valuable data. Health care’s crown jewel, protected health information (PHI), has an excellent resale value on the black market. The FBI has claimed that individual health care records can fetch $50 apiece on the underground versus $1 or less for credit cards. IBM X-Force researchers even see criminals giving away credit card data for free in forums.
  • Health data lasts forever. With credit cards, the banks reset the cards, which means there’s an expiration date on the data. But health records never expire and can be used for numerous malicious activities such as identity theft, insurance and health care fraud, fraudulent tax returns and more.
  • Health care is still adapting to the security landscape. 2015 was undoubtedly the year of the health care breach, with nearly 100 million records compromised. Health care organizations still need to focus on adopting security best practices in 2016 and locking down the many entry points into organizations. From medical tools to mobile devices, we’re likely to see changes made in the health care industry to safeguard this highly coveted data.

Read the complete IBM research report: Security trends in the healthcare industry

What Can Health Care Organizations Do to Safeguard Health Care Information?

There are many ways organizations within the health care industry can protect their valuable information. It starts by having security teams:

  • Think like an attacker and conduct regular penetration tests to identify weaknesses within the organization.
  • Identify where the crown jewels reside within the organization.
  • Encrypt passwords, especially those for privileged users.
  • Encrypt patient information, even at rest and within the electronic system.
  • Scan and test applications before deploying them within the organization, ensuring they are secure and that proper coding practices were followed.
  • Segregate patient data from other data.
  • Follow the principle of least privilege, allowing data access only to users who require it to do their jobs.
  • Implement a defense-in-depth strategy with multiple layers of security.
  • Have a dedicated information security professional with the power to make risk-benefit decisions that improve the overall security posture of the organization.
  • Conduct a security framework and risk assessment and then develop an incident response plan.

If you have more questions about cybersecurity in health care and the retail industry, download two recent reports from IBM’s Managed Security Services team. Whether confronting why 2015 was the year of the health care data breach or examining the top threat facing the retail industry, this information can be vital to understanding the cyberthreats facing an enterprise.

Caleb Barlow

Vice President - IBM Security

Caleb Barlow is an accomplished security professional and Vice President at IBM Security, where he leads IBM's Threat...