Health Care Security in 2016: End-of-Year Checkup on Security Trends

As IBM X-Force Security Research predicted six months ago, a shift in cybercriminals’ focus from the retail industry led to increased risk in the health care sector in the second half of 2016. Unfortunately, empirical data confirmed just how dramatic these trends have been on a year-over-year basis. Let’s review the state of health care security in 2016.

Top Threats to Health Care Security in 2016

The Privacy Rights Clearinghouse published a chronology of publicly disclosed data breaches, sorted by type of breach, type of organization, number of records compromised and date of disclosure. The following graphic shows that the total number of data breaches in the health care sector ballooned from 81 in 2015 to 283 in 2016.

How cybercriminals are targeting the health care industry.

Drilling down into the type of breaches is also enlightening when reviewing the state of health care security in 2016.

Malicious External

External, malicious incidents, which may involve malware infection or other outside cybercriminal activity, increased from 17 instances in 2015 to 121 in 2016. This category includes ransomware, by far the highest-profile exploit to hit the health care sector in 2016.

Non-Malicious Internal

Sometimes breaches occur as the result of a pure accident. For example, a user with legitimate access might unintentionally disclose sensitive data, mistakenly post sensitive information publicly, or send a confidential email, fax or physical documents to the wrong party. This type of insider threat increased by a factor of nearly five, from 18 in 2015 to 86 in 2016.

Lost or Stolen Devices

This type of breach occurs when devices holding sensitive data are lost, stolen or improperly discarded. Incidents involving this type of breach increased by about 45 percent, from 27 in 2015 to 39 in 2016. Virtually all of these are mobile or portable devices such as smartphones, laptops, memory sticks, hard drives, backup tapes and so on. Most organizations use encryption to address the risk of data breaches on their endpoints.

Physical Loss

Incidents in which paper documents were physically lost, discarded or stolen increased by about 2.7 times, from 12 in 2015 to 32 in 2016. This is a good reminder that the scope of information security actually encompasses data in all forms, electronic or not.

Malicious Internal

There was one bright spot in the year-over-year trends, according to the report. Internal breaches stemming from malicious users with legitimate access, such as employees, contractors, business partners and customers, decreased from 11 in 2014 and seven in 2015 to just five in 2016. While the insider threat is still a serious concern, the data showed that it’s a relatively low-priority issue with regard to data breaches.

Looking Back, Looking Ahead

Why did the cyberthreat landscape shift to the health care sector? Cybercriminals have the motive — since health care data is both valuable and long lasting — and the opportunity. They are able to exploit common use of legacy systems and devices with weak security, as well as a fragmented workforce with a high priority on patient care and low priority on security, and the pressing need for immediate access to patient records. These factors make health care an extremely attractive target.

The prescription for health care security in 2017 and beyond? Recognize the fundamental problem as a business issue, not a technology issue. Understand the risks, decide how much risk is acceptable and invest in a more mature set of capabilities for reducing risk to an acceptable level.

Listen to the podcast: Data Security Insights from a Health Care Insider

Share this Article:
Derek Brink

VP & Research Fellow, IT Security and IT GRC, Aberdeen Group

Derek Brink helps individuals to improve their critical thinking, commuication skills and leadership skills by teaching graduate courses in information security and IT management at Brandeis University. He also helps organizations to improve their security and compliance initiatives by researching, writing about and speaking about the people, processes and technologies that correspond most strongly with leading performance, as part of his role as vice president and research fellow at Aberdeen Group, A Harte Hanks Company. Derek Brink helps individuals to improve their critical thinking, commuication skills and leadership skills by teaching graduate courses in information security and IT management at Brandeis University. He also helps organizations to improve their security and compliance initiatives by researching, writing about and speaking about the people, processes and technologies that correspond most strongly with leading performance, as part of his role as vice president and research fellow at Aberdeen Group, A Harte Hanks Company. He is experienced in high-tech strategy development and execution, corporate / business development, product management and product marketing, through positions at RSA Security, IBM, Sun Microsystems, and Hewlett-Packard. Derek earned an MBA with honors from the Harvard Business School and a BS in Applied Mathematics with highest honors from the Rochester Institute of Technology.