On the eve of 2016, IBM X-Force Security Research called attention to a shift in cybercriminals’ focus from retail to health care, and they warned of increased security risk in the health care sector. Halfway through the year, how have those predictions for health care security been playing out?
The Prognosis Was Correct
Unfortunately, it looks like the prognosis for higher risk of data breaches in the health care industry in 2016 was spot on. In terms of the likelihood aspect of health care security risk, at least, the evidence confirmed a definitive increase:
- IBM’s interactive infographic of publicly disclosed data breaches revealed that the health care industry represents a steadily growing percentage of all data breaches. It has risen from 5 percent in 2013 to 8 percent in 2014, 9 percent in 2015 and 15 percent in the first half of 2016 (through June 1).
- Similarly, the data breaches cataloged by the Privacy Rights Clearinghouse showed that as a percentage of all data breaches, the health care industry grew from 8 percent in 2013 to 14 percent in 2014, 15 percent in 2015 and 35 percent in the first half of 2016. Although these two databases are somewhat different, the general trend is very much the same.
- From a slightly different perspective, Verizon’s annual Data Breach Investigation Report showed the percentage of security incidents in the health care industry that were investigated and were found to have resulted in confirmed data breaches (i.e., the disclosure of an information asset to an unauthorized party) jumped from 27 percent in 2013 to 60 percent in 2014 and 69 percent in 2015.
This regrettably accurate trend is visualized more easily in the following chart, keeping in mind that risk is properly defined as a function of both the likelihood of such things occurring and the associated business impact if they actually do occur.
By these and other measures, the likelihood factors of risk in the health care industry are on the rise.
Health Care Data Is Where Motivation Meets Opportunity
Cybercriminal behaviors with respect to the health care industry can be observed, but the full picture requires understanding their motivations and opportunities as well. The start-of-year analysis didn’t make many predictions in this regard, but it did provide useful insights that are still applicable just a few months later.
Motivation for cybercriminals is certainly clear enough: Health care data is valuable. Medical records typically include names, Social Security numbers, dates of birth, financial information, employment information, insurance information, addresses, phone numbers, emails and more — all the things one would need to perform identity fraud, insurance fraud, tax fraud and so on.
The fact that health care data is even more valuable to cybercriminals than payment card information is by no means new. In the summer of 2013, underground market pricing for stolen health care data looked something like this, according to SecureWorks:
- About $20 per record for health care credentials only, including name, date of birth and insurance information.
- About $500 for fullz, which are electronic dossiers of credentials for a particular individual, compiled and packaged with other personally identifiable information to facilitate identity theft and fraud.
- Between $1,200 and $1,300 for kitz, which include custom-manufactured physical credentials (e.g., insurance card, Social Security card, driver’s license, credit card) and documentation related to identity data to provide a complete, ready-to-use identity theft kit.
A more recent trend is the upswing of ransomware attacks on the health care industry. There have been scenarios where patient records are compromised and encrypted, and then cybercriminals demand a payment in exchange for giving the health care organization its own data back. Even cybercriminals gravitate toward instant gratification.
Opportunity for cybercriminals is perhaps the most disturbing aspect of the diagnosis. Security-related threats and vulnerabilities abound in the health care sector, touching everything from mobile apps and cloud-based records to connected health care devices and the internet of (medical) things, to name a few. The rate of implementing these desirable capabilities and features is vastly outpacing the ability to make deliberate, risk-based decisions about security.
What We Can Do About Health Care Security
Fortunately, sensible steps for reducing the opportunities for attackers are reasonably well-understood. For example, stronger identity governance and more effective use of data and analytics can help organizations in the health care industry lock down data.
Ultimately, however, this is not really a technology issue but a fundamental business issue. The modern health care organization needs to be aware of its risks, develop a security strategy for how much risk it’s willing to accept and invest in a more mature set of capabilities for linking strategy with execution. We can predict with confidence that unless the organization’s leadership does this, symptoms will only continue to grow worse.