As IBM X-Force Security Research predicted six months ago, a shift in cybercriminals’ focus from the retail industry led to increased risk in the health care sector in the second half of 2016. Unfortunately, empirical data confirmed just how dramatic these trends have been on a year-over-year basis. Let’s review the state of health care security in 2016.
Top Threats to Health Care Security in 2016
The Privacy Rights Clearinghouse published a chronology of publicly disclosed data breaches, sorted by type of breach, type of organization, number of records compromised and date of disclosure. The following graphic shows that the total number of data breaches in the health care sector ballooned from 81 in 2015 to 283 in 2016.
Drilling down into the type of breaches is also enlightening when reviewing the state of health care security in 2016.
External, malicious incidents, which may involve malware infection or other outside cybercriminal activity, increased from 17 instances in 2015 to 121 in 2016. This category includes ransomware, by far the highest-profile exploit to hit the health care sector in 2016.
Sometimes breaches occur as the result of a pure accident. For example, a user with legitimate access might unintentionally disclose sensitive data, mistakenly post sensitive information publicly, or send a confidential email, fax or physical documents to the wrong party. This type of insider threat increased by a factor of nearly five, from 18 in 2015 to 86 in 2016.
Lost or Stolen Devices
This type of breach occurs when devices holding sensitive data are lost, stolen or improperly discarded. Incidents involving this type of breach increased by about 45 percent, from 27 in 2015 to 39 in 2016. Virtually all of these are mobile or portable devices such as smartphones, laptops, memory sticks, hard drives, backup tapes and so on. Most organizations use encryption to address the risk of data breaches on their endpoints.
Incidents in which paper documents were physically lost, discarded or stolen increased by about 2.7 times, from 12 in 2015 to 32 in 2016. This is a good reminder that the scope of information security actually encompasses data in all forms, electronic or not.
There was one bright spot in the year-over-year trends, according to the report. Internal breaches stemming from malicious users with legitimate access, such as employees, contractors, business partners and customers, decreased from 11 in 2014 and seven in 2015 to just five in 2016. While the insider threat is still a serious concern, the data showed that it’s a relatively low-priority issue with regard to data breaches.
Looking Back, Looking Ahead
Why did the cyberthreat landscape shift to the health care sector? Cybercriminals have the motive — since health care data is both valuable and long lasting — and the opportunity. They are able to exploit common use of legacy systems and devices with weak security, as well as a fragmented workforce with a high priority on patient care and low priority on security, and the pressing need for immediate access to patient records. These factors make health care an extremely attractive target.
The prescription for health care security in 2017 and beyond? Recognize the fundamental problem as a business issue, not a technology issue. Understand the risks, decide how much risk is acceptable and invest in a more mature set of capabilities for reducing risk to an acceptable level.