The health care industry is being targeted by cyberthreats at an increasingly alarming rate. Once outpaced significantly in terms of breaches and malicious attacks by other sectors such as financial and retail, health care is no longer on the sidelines. Bringing them front and center are five of the eight largest security breaches that have affected this industry in the last five years. According to IBM X-Force Interactive Security Incidents data from Jan. 1, 2015 to Oct. 31, 2015, all five occurred in the first half of 2015, with almost 100,000,000 health care records compromised.
The Crown Jewel of the Health Care Industry: PHI
Why has the health care industry become a popular target? The answer is in the data. Health care’s crown jewel, protected health information (PHI), has an excellent resale value on the black market. The Health Insurance Portability and Accountability Act (HIPAA) introduced PHI as a term to represent an individual’s medical records and health information. Another frequently used term in the health care arena is electronic health record (EHR), which is a record containing PHI. In addition to medical information, EHRs could also contain email addresses, Social Security numbers, and banking and employment information.
Consequences of compromised PHI are multilayered. Aside from the significant costs to the breached health care organization, the customers of the targeted company face a plethora of potential hardships and costs. This significant cost to the individual victim translates to damaged reputation for the targeted health institution. According to the Ponemon Institute’s “2015 Cost of Data Breach Study,” health and pharmaceutical companies experience higher customer churn following a data breach over other industries in similar predicaments.
IBM MSS Data Reveals Health Care’s Achilles’ Heel
IBM Managed Security Services continuously monitors billions of events per year, as reported by more than 8,000 client devices in over 100 countries. Analysis of data collected from Jan. 1, 2014 through Oct. 31, 2015 reveals some interesting finds regarding the types of attacks targeting the health care industry.
Malicious Documents and Sites
Getting a victim to open a malicious document or to click on a link that leads to a malicious site are proving to be successful attack methods against the health care industry, with delivery of a malicious document appearing to be preferred over a malicious link.
A threat game changer for 2014, Shellshock is well-documented in the IBM 2015 Cyber Security Intelligence Index. This malware-less attack vector that takes advantage of a vulnerability in the GNU Bash shell remains a significant and persistent threat.
Attackers use an automated, repetitive method of trial and error to crack an individual’s username and password to gain access to administrator accounts or applications that store data on a Web application or Web-facing server. Once in, attackers can inject malware that can potentially get them further into the target health care organization’s network.
Older and Nonsanctioned Applications
Hospital organizations running earlier versions of Internet Explorer run the risk of an attacker using VBScript to execute arbitrary code on a vulnerable system. IBM MSS found that many health care company employees utilize a number of applications that may or may not be officially sanctioned by the organization, making it difficult to bring those systems into the security fold — and presenting an attacker with an additional attack vector.
Make Cybersecurity a Business Priority
One of the major challenges that health care faces is being able to address cyber risk in order to direct information technology investment and resources, especially as organizations address security of the data and technologies. Health care organizations are feeling this more acutely than most sectors due to the sensitivity, volume and velocity of the data in transit and traveling through their networks.
Cybercriminals see this as a rich environment for stealing data. The ability of attackers to do harm that is of immediate consequence, physically or financially, speaks volumes of the need for the health care industry to address issues and focus investments quickly.
Daunting as these security challenges may seem, health care organizations that are making a concerted effort to put cybersecurity at the forefront of their priorities are in a strong position to prevent compromise. Complying with the many regulatory health care requirements is a good start, but it’s not enough to thwart today’s attacks and keep organizations out of the breach spotlight. More has to be done to strengthen the overall security posture across all health care entities, from hospitals to smaller practices and device manufacturers, to ensure the protection of PHI. The only way to do this is to make cybersecurity a business priority.