On the eve of 2016, IBM X-Force Security Research called attention to a shift in cybercriminals’ focus from retail to health care, and they warned of increased security risk in the health care sector. Halfway through the year, how have those predictions for health care security been playing out?

The Prognosis Was Correct

Unfortunately, it looks like the prognosis for higher risk of data breaches in the health care industry in 2016 was spot on. In terms of the likelihood aspect of health care security risk, at least, the evidence confirmed a definitive increase:

  • IBM’s interactive infographic of publicly disclosed data breaches revealed that the health care industry represents a steadily growing percentage of all data breaches. It has risen from 5 percent in 2013 to 8 percent in 2014, 9 percent in 2015 and 15 percent in the first half of 2016 (through June 1).
  • Similarly, the data breaches cataloged by the Privacy Rights Clearinghouse showed that as a percentage of all data breaches, the health care industry grew from 8 percent in 2013 to 14 percent in 2014, 15 percent in 2015 and 35 percent in the first half of 2016. Although these two databases are somewhat different, the general trend is very much the same.
  • From a slightly different perspective, Verizon’s annual Data Breach Investigation Report showed the percentage of security incidents in the health care industry that were investigated and were found to have resulted in confirmed data breaches (i.e., the disclosure of an information asset to an unauthorized party) jumped from 27 percent in 2013 to 60 percent in 2014 and 69 percent in 2015.

This regrettably accurate trend is visualized more easily in the following chart, keeping in mind that risk is properly defined as a function of both the likelihood of such things occurring and the associated business impact if they actually do occur.

By these and other measures, the likelihood factors of risk in the health care industry are on the rise.

Health Care Data Is Where Motivation Meets Opportunity

Cybercriminal behaviors with respect to the health care industry can be observed, but the full picture requires understanding their motivations and opportunities as well. The start-of-year analysis didn’t make many predictions in this regard, but it did provide useful insights that are still applicable just a few months later.


Motivation for cybercriminals is certainly clear enough: Health care data is valuable. Medical records typically include names, Social Security numbers, dates of birth, financial information, employment information, insurance information, addresses, phone numbers, emails and more — all the things one would need to perform identity fraud, insurance fraud, tax fraud and so on.

The fact that health care data is even more valuable to cybercriminals than payment card information is by no means new. In the summer of 2013, underground market pricing for stolen health care data looked something like this, according to SecureWorks:

  • About $20 per record for health care credentials only, including name, date of birth and insurance information.
  • About $500 for fullz, which are electronic dossiers of credentials for a particular individual, compiled and packaged with other personally identifiable information to facilitate identity theft and fraud.
  • Between $1,200 and $1,300 for kitz, which include custom-manufactured physical credentials (e.g., insurance card, Social Security card, driver’s license, credit card) and documentation related to identity data to provide a complete, ready-to-use identity theft kit.

A more recent trend is the upswing of ransomware attacks on the health care industry. There have been scenarios where patient records are compromised and encrypted, and then cybercriminals demand a payment in exchange for giving the health care organization its own data back. Even cybercriminals gravitate toward instant gratification.

Read the IBM X-Force research report: Security trends in the healthcare industry


Opportunity for cybercriminals is perhaps the most disturbing aspect of the diagnosis. Security-related threats and vulnerabilities abound in the health care sector, touching everything from mobile apps and cloud-based records to connected health care devices and the internet of (medical) things, to name a few. The rate of implementing these desirable capabilities and features is vastly outpacing the ability to make deliberate, risk-based decisions about security.

What We Can Do About Health Care Security

Fortunately, sensible steps for reducing the opportunities for attackers are reasonably well-understood. For example, stronger identity governance and more effective use of data and analytics can help organizations in the health care industry lock down data.

Ultimately, however, this is not really a technology issue but a fundamental business issue. The modern health care organization needs to be aware of its risks, develop a security strategy for how much risk it’s willing to accept and invest in a more mature set of capabilities for linking strategy with execution. We can predict with confidence that unless the organization’s leadership does this, symptoms will only continue to grow worse.

More from Healthcare

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Healthcare Breaches Costliest for 12 Years Running, Hit New $10.1M Record High

IBM Security and the Ponemon institute release an annual report known as one the most significant industry benchmarks. The Cost of a Data Breach analysis examines real-world breaches in great detail, producing insights into the factors that impact the cost of cyber-attacks. In the 2022 report just released, the healthcare sector stands out for extremely high breach costs on the global average chart. Furthermore, the sector has kept its leading position in that respect for the 12th year in a…

Incident Response for Health Care IT: Differences and Drivers

Threat actors continue to target the health care industry. IBM’s Threat Intelligence Index for 2022 rates the industry as the sixth most targeted. That puts it close behind the energy and retail and wholesale sectors. Certain regions seem to be more prone to attack as well. The Asia-Pacific region accounted for 39% of all health care-related attacks, while North America trailed next at 33%. Coming as no surprise, ransomware is the leading known method of attack, representing 38% of cases.Some…

Hospital Ransomware Attack: Here’s What a Cybersecurity Success Story Sounds Like 

Major ransomware attacks are scary, but against hospitals, they are even worse. One notable attack in August 2021 forced Ohio’s Memorial Health System emergency room to shut down (patients were diverted to other hospitals). In all hospital attacks, the health, safety, privacy and lives of patients face risk. But this incident also shows that whether targets are hospitals or any other kind of organization, the time and money spent preventing attacks is almost always worth it.  But what do you do…