June 14, 2016 By Derek Brink 3 min read

On the eve of 2016, IBM X-Force Security Research called attention to a shift in cybercriminals’ focus from retail to health care, and they warned of increased security risk in the health care sector. Halfway through the year, how have those predictions for health care security been playing out?

The Prognosis Was Correct

Unfortunately, it looks like the prognosis for higher risk of data breaches in the health care industry in 2016 was spot on. In terms of the likelihood aspect of health care security risk, at least, the evidence confirmed a definitive increase:

  • IBM’s interactive infographic of publicly disclosed data breaches revealed that the health care industry represents a steadily growing percentage of all data breaches. It has risen from 5 percent in 2013 to 8 percent in 2014, 9 percent in 2015 and 15 percent in the first half of 2016 (through June 1).
  • Similarly, the data breaches cataloged by the Privacy Rights Clearinghouse showed that as a percentage of all data breaches, the health care industry grew from 8 percent in 2013 to 14 percent in 2014, 15 percent in 2015 and 35 percent in the first half of 2016. Although these two databases are somewhat different, the general trend is very much the same.
  • From a slightly different perspective, Verizon’s annual Data Breach Investigation Report showed the percentage of security incidents in the health care industry that were investigated and were found to have resulted in confirmed data breaches (i.e., the disclosure of an information asset to an unauthorized party) jumped from 27 percent in 2013 to 60 percent in 2014 and 69 percent in 2015.

This regrettably accurate trend is visualized more easily in the following chart, keeping in mind that risk is properly defined as a function of both the likelihood of such things occurring and the associated business impact if they actually do occur.

By these and other measures, the likelihood factors of risk in the health care industry are on the rise.

Health Care Data Is Where Motivation Meets Opportunity

Cybercriminal behaviors with respect to the health care industry can be observed, but the full picture requires understanding their motivations and opportunities as well. The start-of-year analysis didn’t make many predictions in this regard, but it did provide useful insights that are still applicable just a few months later.

Motivation

Motivation for cybercriminals is certainly clear enough: Health care data is valuable. Medical records typically include names, Social Security numbers, dates of birth, financial information, employment information, insurance information, addresses, phone numbers, emails and more — all the things one would need to perform identity fraud, insurance fraud, tax fraud and so on.

The fact that health care data is even more valuable to cybercriminals than payment card information is by no means new. In the summer of 2013, underground market pricing for stolen health care data looked something like this, according to SecureWorks:

  • About $20 per record for health care credentials only, including name, date of birth and insurance information.
  • About $500 for fullz, which are electronic dossiers of credentials for a particular individual, compiled and packaged with other personally identifiable information to facilitate identity theft and fraud.
  • Between $1,200 and $1,300 for kitz, which include custom-manufactured physical credentials (e.g., insurance card, Social Security card, driver’s license, credit card) and documentation related to identity data to provide a complete, ready-to-use identity theft kit.

A more recent trend is the upswing of ransomware attacks on the health care industry. There have been scenarios where patient records are compromised and encrypted, and then cybercriminals demand a payment in exchange for giving the health care organization its own data back. Even cybercriminals gravitate toward instant gratification.

Read the IBM X-Force research report: Security trends in the healthcare industry

Opportunity

Opportunity for cybercriminals is perhaps the most disturbing aspect of the diagnosis. Security-related threats and vulnerabilities abound in the health care sector, touching everything from mobile apps and cloud-based records to connected health care devices and the internet of (medical) things, to name a few. The rate of implementing these desirable capabilities and features is vastly outpacing the ability to make deliberate, risk-based decisions about security.

What We Can Do About Health Care Security

Fortunately, sensible steps for reducing the opportunities for attackers are reasonably well-understood. For example, stronger identity governance and more effective use of data and analytics can help organizations in the health care industry lock down data.

Ultimately, however, this is not really a technology issue but a fundamental business issue. The modern health care organization needs to be aware of its risks, develop a security strategy for how much risk it’s willing to accept and invest in a more mature set of capabilities for linking strategy with execution. We can predict with confidence that unless the organization’s leadership does this, symptoms will only continue to grow worse.

More from Healthcare

Cost of a data breach 2023: Healthcare industry impacts

3 min read - Data breaches are becoming more costly across all industries, with healthcare in the lead. The 2023 Cost of a Data Breach Report analyzes data collected from March 2022 to March 2023. Healthcare remains a top target for online criminal groups. These data breach costs are the highest of any industry and have increased for the 13th consecutive year. Healthcare is a highly regulated industry that the U.S. government considers critical infrastructure. As such, recent federal privacy standards, security standards and…

Cyberattackers target the Latin American health care sector

3 min read - Cyberattacks on the healthcare sector are a growing threat in Latin America, and the large amount of confidential data these organizations handle makes these attacks a top concern. The value of healthcare data in the illegal market, such as the personal, medical and financial information of patients and healthcare companies, creates an appealing target for threat actors. This can have serious consequences for the privacy and information security of these organizations. Cyberattacks could lead to reputational risks, interruption of operations,…

Increasingly sophisticated cyberattacks target healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today