The Health Care Data Breach: A Tale of Big Expenses and Cheap Sales
Health care data breaches are on the rise. As noted by MedPage Today, there were 39 reported health network compromises in March, totaling more than 1.5 million records. This not only surpasses the 31 total events reported in both January and February, but also more than triples the 388,000 records breached in 2017’s first month.
But here’s the thing: With so many records now compromised, packaged and sold on the Dark Web, the sales price to interested actors is falling rapidly. What happens when data supply outpaces criminal demand?
Everything’s Got to Go!
While security professionals and patients alike lament the lack of effective controls in protecting health care data, increasing concern hasn’t translated into better defense. In fact, cybercriminals are now so adept at cracking, stealing and selling health care information that Dark Web prices are falling considerably.
Consider the case of a Baltimore-area substance abuse treatment facility. According to CSO Online, the organization experienced a data breach last year that saw more than 43,000 records stolen and posted on the Dark Web. These records included basic information, such as names and phone numbers, along with dates of admission, doctor and counselor assignments, and specific treatment data. Security researchers identified the likely point of entry as a malicious Word file that, in turn, exploited a vulnerable remote desktop protocol (RDP).
As the clinic struggled to identify and notify all affected patients while simultaneously improving its IT security posture, its entire catalog of records was being shopped around the Dark Web at just $300, or less than 1 cent per record.
In effect, it’s a supply-and-demand issue. Until recently, “fullz” — full packages of personally identifiable information (PII) — went for around $7. But as the number of available records skyrocketed, the price dropped to compensate. Now, the average price per record sits between 50 cents and $1.
For patients and companies, however, the financial impact is potentially ruinous. Health care organizations are faced with potential public relations and network disasters, while patients may find that their entire identities — from tax returns to Social Security numbers to physical addresses — are being leveraged to cause long-term headaches.
The Data Breach Defense
The new threat landscape has many companies taking action to limit the chance of data breaches. The problem is that efforts don’t always match the most worrisome attack vectors.
Consider that among the top concerns for health agencies is the threat of ransomware. Fair enough, since cybercriminals are now willing to ask for millions in compensation, and companies know they’re on the hook for more than $300 per record in remediation costs.
But here’s the thing: Insider threats are actually the greatest danger to health data, with employees responsible for 68 percent of all health data breach attacks in 2016. In most cases, staff members have no intention of causing harm; they may be duped by phishing emails, click on malicious links or accidentally share privileged information.
Another key threat vector is third-party vendor breaches. These occur when data processing partners don’t do enough to secure their infrastructures and inadvertently allow health care data to be lost, stolen or compromised.
Effective health care defense isn’t just about beefing up network controls and locking down IT systems. Instead, companies need better internal education programs paired with more thorough assessments of third-party providers to limit the chance of compromise.
Even with record prices falling to all-time lows, don’t expect cybercriminals to give health care companies a break. While criminal-facing prices may be falling, the costs of damage control and remediation continue to rise, meaning health organizations need to take a hard look at where they’re getting hit and what’s being targeted. With no single cause, effective treatment of the data breach problem requires a multifaceted approach.