Light Dark
December 1, 2015 By Michelle Alvarez 4 min read
Healthcare
Data Protection

The health care industry is being targeted by cyberthreats at an increasingly alarming rate. Once outpaced significantly in terms of breaches and malicious attacks by other sectors such as financial and retail, health care is no longer on the sidelines. Bringing them front and center are five of the eight largest security breaches that have affected this industry in the last five years. According to IBM X-Force Interactive Security Incidents data from Jan. 1, 2015 to Oct. 31, 2015, all five occurred in the first half of 2015, with almost 100,000,000 health care records compromised.

The Crown Jewel of the Health Care Industry: PHI

Why has the health care industry become a popular target? The answer is in the data. Health care’s crown jewel, protected health information (PHI), has an excellent resale value on the black market. The Health Insurance Portability and Accountability Act (HIPAA) introduced PHI as a term to represent an individual’s medical records and health information. Another frequently used term in the health care arena is electronic health record (EHR), which is a record containing PHI. In addition to medical information, EHRs could also contain email addresses, Social Security numbers, and banking and employment information.

Consequences of compromised PHI are multilayered. Aside from the significant costs to the breached health care organization, the customers of the targeted company face a plethora of potential hardships and costs. This significant cost to the individual victim translates to damaged reputation for the targeted health institution. According to the Ponemon Institute’s “2015 Cost of Data Breach Study,” health and pharmaceutical companies experience higher customer churn following a data breach over other industries in similar predicaments.

Read the complete research report: Security trends in the healthcare industry

 

 

IBM MSS Data Reveals Health Care’s Achilles’ Heel

IBM Managed Security Services continuously monitors billions of events per year, as reported by more than 8,000 client devices in over 100 countries. Analysis of data collected from Jan. 1, 2014 through Oct. 31, 2015 reveals some interesting finds regarding the types of attacks targeting the health care industry.

Malicious Documents and Sites

Getting a victim to open a malicious document or to click on a link that leads to a malicious site are proving to be successful attack methods against the health care industry, with delivery of a malicious document appearing to be preferred over a malicious link.

Shellshock

A threat game changer for 2014, Shellshock is well-documented in the IBM 2015 Cyber Security Intelligence Index. This malware-less attack vector that takes advantage of a vulnerability in the GNU Bash shell remains a significant and persistent threat.

Brute-Force Attacks

Attackers use an automated, repetitive method of trial and error to crack an individual’s username and password to gain access to administrator accounts or applications that store data on a Web application or Web-facing server. Once in, attackers can inject malware that can potentially get them further into the target health care organization’s network.

Older and Nonsanctioned Applications

Hospital organizations running earlier versions of Internet Explorer run the risk of an attacker using VBScript to execute arbitrary code on a vulnerable system. IBM MSS found that many health care company employees utilize a number of applications that may or may not be officially sanctioned by the organization, making it difficult to bring those systems into the security fold — and presenting an attacker with an additional attack vector.

Make Cybersecurity a Business Priority

One of the major challenges that health care faces is being able to address cyber risk in order to direct information technology investment and resources, especially as organizations address security of the data and technologies. Health care organizations are feeling this more acutely than most sectors due to the sensitivity, volume and velocity of the data in transit and traveling through their networks.

Cybercriminals see this as a rich environment for stealing data. The ability of attackers to do harm that is of immediate consequence, physically or financially, speaks volumes of the need for the health care industry to address issues and focus investments quickly.

Daunting as these security challenges may seem, health care organizations that are making a concerted effort to put cybersecurity at the forefront of their priorities are in a strong position to prevent compromise. Complying with the many regulatory health care requirements is a good start, but it’s not enough to thwart today’s attacks and keep organizations out of the breach spotlight. More has to be done to strengthen the overall security posture across all health care entities, from hospitals to smaller practices and device manufacturers, to ensure the protection of PHI. The only way to do this is to make cybersecurity a business priority.

Read the IBM X-Force research report: Security trends in the healthcare industry

 |  |  |  |  | 
Michelle Alvarez
Manager, X-Force Strategic Threat Analysis, IBM

More from Healthcare
October 29, 2024

Why safeguarding sensitive data is so crucial

4 min read - A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.The breach, first reported by WIRED, involved PII, such as patient names and addresses,…

September 26, 2024

Ransomware on the rise: Healthcare industry attack trends 2024

4 min read - According to the IBM Cost of a Data Breach Report 2024, the global average cost of a data breach reached $4.88 million this year, a 10% increase over 2023.For the healthcare industry, the report offers both good and bad news. The good news is that average data breach costs fell by 10.6% this year. The bad news is that for the 14th year in a row, healthcare tops the list with the most expensive breach recoveries, coming in at $9.77…

September 18, 2024

Cybersecurity risks in healthcare are an ongoing crisis

4 min read - While healthcare providers have been implementing technical, administrative and physical safeguards related to patient information, they have not been as diligent in securing their medical devices. These devices are critical to patient care and can leave hospitals at risk for cyberattacks, causing major disruptions to patient care. In fact, 88 million individuals were affected by large breaches, compromising vast amounts of electronic protected health information (ePHI) last year according to the U.S. Department of Health & Human Services. This year,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature