Why the healthcare industry badly needs a cyber security health check
The healthcare industry had the highest number of breaches in 2014
After a slew of data breaches in 2014, the FBI warned the healthcare industry that cyber-criminals would be directing more attention their way in 2015. The healthcare industry, valued at $3 trillion, has become an increasingly valuable target for cyber thieves and, in some cases, a much easier target to attack due to their often less than adequate investment in cyber security. What is it about the healthcare industry that has captured the cyber criminals’ interest in the last few years?
Overview of data breaches in 2014
At the end of each year, the Identity Theft Resource Center (ITRC) produces a data breach report showing the total number of data breaches and records stolen for each industry.
The data is taken from credible sources, including the Attorney General’s website, and includes data breaches that occurred in the year of the report or breaches that were made public in the year of the report.
2014 was a big year for data breaches in general, with a total of 761 breaches, amounting in 83,176,279 exposed records. The following industries were included in the report: Credit/Financial (5.5%), business (32.7%), education (7.6%), government/military (11.8%), healthcare (42.3%)
Of the industries represented, the healthcare industry had the highest number of total breaches in 2014: 322 out of a total of 761 breaches.
In terms of the total amount of records stolen or compromised by breaches in 2014, the business sector had the highest at 65,896,115, followed by the healthcare industry at 8,255,247 records.
It might be surprising that the banking industry only had 1,185,492 records stolen, especially when considering how frequently credit card fraud makes the news. It’s not often that you hear about someone who had their medical record stolen.
Unfortunately, stolen medical record data is not usually reported in a timely manner; often taking years before someone discovers that the data has been compromised. Unlike stolen medical records, stolen credit card information is usually reported rather quickly, due to banks’ monitoring for suspicious account activity.
Comparing medical records to credit card data
In order to understand why the healthcare industry is such a big target for cyber-criminals, you have to understand the value of a stolen medical record. Personal banking information is still valuable to the average cyber thief, but it doesn’t have nearly as high of a payout as that of a medical record.
Reuters placed a value on stolen medical information that is ten times more than that of credit card data. According to data collected from monitoring exchanges on the black market, the director of threat intelligence at PhishLabs estimates the value of stolen medical information to be around $10 per record, and that is on the low end of black market prices. Some sources claim that they can be sold for as much as $60 to $70 per record.
In the ITRC report mentioned above, of 322 reported breaches for the healthcare industry, 289 breaches resulted in confirmed quantities for the number of records stolen. The average amount of records stolen per known breach was around 28,564.
If each medical record is assumed to be worth a minimum of $10, then the average payout for cyber-criminals from each breach would be at least $285,640, and that is considered to be a conservative estimate.
If a record were assumed to be worth around $60-$70, then the average payout would be over $1.7 million per breach. Credit card data, on the other hand is worth around $1 per record, so cyber-criminals would have to steal at least 10 times as many banking records to realise similar profits.
Medical records sell at a high price because they contain personal data such as names, addresses, social security numbers, birth dates, billing information, among other information. This information is used by cyber-criminals to create fake IDs that can be used to buy drugs that can be resold later, or to file false insurance claims using patient data.
Industry spending on cyber security
Hospitals are often easier targets for cyber-crime because they lack the proper cyber security defenses. Healthcare spending for cyber security is known to be low, compared to other regulated industries.
In a 2012 report released by the Ponemon Institute, the healthcare industry listed a lack of funds as one of the main obstacles preventing them from taking the proper steps toward better data security practices.
ABI Research recently reported estimates that worldwide healthcare spending on cyber security will be around $10 billion by 2020. This only amounts to about 10% of the amount spent on cyber security by the critical infrastructure industry. By comparison, the financial industry is expected to spend $9.5 billion in 2015 alone.
We know how much cyber-criminals stand to gain from a healthcare industry data breach, but how much do these data breaches cost the companies who are affected?
With the average cost of a data breach for a company in the healthcare industry around $2 million over a two-year period , the case for investing in additional cyber security defenses becomes clearer.
The problem with BYOD
One of the biggest concerns facing the healthcare industry is the increased adoption of BYOD by medical professionals. According to a recent report, 88% of healthcare organisations said they permitted employees and other medical staff to use personal devices for work purposes.
More than half of those same organisations claimed they did not have visibility to the security status of those BYOD devices. If organisations are not certain of the security of a device, how can they effectively protect any patient data contained therein?
Although many healthcare organisations allow medical staff to use personal devices for work purposes, their IT departments do not adequately support that use. There seems to be some sort of disconnect between the Electronic Medical Record (EMR) tools that are chosen by the IT department and the willingness of medical professionals to use those tools.
In a study recently released by Spyglass Consulting, 70% of physicians interviewed claimed that their IT department wasn’t making adequate progress towards supporting mobile computing and communication requirements.
This statistic is alarming as 96% of those same physicians claim to be using their personal smartphone for clinical communication purposes. Inefficient support of physician’s mobile devices results in communication issues, which in turn leads to higher costs created by communication delays.
The healthcare industry clearly needs to find a way to integrate BYOD trends without compromising the security of devices.
Solutions for preventing future breaches
With healthcare industry data breaches predicted to increase in 2015, organizations must take the proper precautions to avoid hefty fines resulting from HIPAA violations.
As a requirement for HIPAA, installing an antivirus product is an important layer of protection. By choosing multi-scanning, organizations reduce the risk that that malware will enter their network; what one antivirus engine doesn’t detect another often will.
Document sanitisation capabilities are also useful, allowing users to prevent infections by advanced threats and/or zero-day attacks by converting potentially dangerous file types to remove embedded malware.
Protection of endpoints
If devices connecting to a hospital’s internal network cannot be confirmed as secure, how can organisation expect to avoid a possible data breach? Proper host checking and monitoring of endpoint security status is imperative as more physicians adopt BYOD practices.
This endpoint visibility challenge is unique and difficult to address while still maintaining the spirit of BYOD policies. Some MDM (Mobile Device Management) products have addressed this using techniques like containerization, but the issue is largely unaddressed for desktops and laptops.
Improved email security
A phishing attack is believed to be the cause of the recent Anthem breach, where stolen employee credentials were used to gain access to a secure network. In order to avoid this type of attack, the healthcare industry must invest in the proper email security software.
Industry-wide spending on cyber security remains low, despite the fact that healthcare is the largest target for cyber-criminals. If organisations in the healthcare sector want to reduce their risk of cyber-attack, they have to re-evaluate their views on security.
Too often, investment in cyber security occurs after a breach has already taken place and patient data has already been compromised. If organisations find the right security tools they can protect patient data while addressing organisation-wide communication issues, saving the valuable time of medical staff and avoiding the potential loss of millions in data-breach recovery costs.