The healthcare industry was previously on the cyberbreach sidelines compared to the financial and retail industries, but that trend has swiftly changed. In 2015 there were more than 100 million healthcare records compromised by cybercriminals via a variety of methods that included physical breaches, malware, phishing attacks, SQL injection and undisclosed attack types.
To better understand how to improve this trend, we have to explore the history and underpinnings of the breaches. In 2015 physical breaches ranging from stolen laptops that had unencrypted hard drives to employees selling patient healthcare information accounted for about 20% of reported breaches. Phishing attacks accounted for 16%, and technical misconfiguration for 13%. The security vendor industry places much focus on malware-based attacks, but malware only accounted for about 4% of breaches, as did SQL injection attacks. Unfortunately, undisclosed attack types topped the charts at 43%, leaving a big hole in the data.
What can we learn from the reported breaches in 2015? I think it is safe to assume that people and their inherent vulnerabilities were clear targets for cybercriminals. Physical breaches and phishing are both human-related weaknesses, and these two attack types accounted for 36% of reported breaches, compared to all other reported types that came in at about 21%. Cybersecurity and breaches continue to be human-centered issues, not a technical matter.
Risks to the healthcare industry extend well beyond patient information. For the first time, last year large-scale vulnerabilities of medical devices were published on the dark web. Medical device vulnerabilities are a direct link to patient safety and could result in loss of life.
Personal and sensitive information maintained by healthcare providers makes them a rich target for cybercriminals because this information is a gateway to identity theft and medical fraud. Criminals have figured out that healthcare organizations are softer targets than other industries, and because criminals take the easiest path to achieve their goals, we will likely continue to see patient information stolen at alarming rates.
Practical Steps to Protect Patient Data
Cybersecurity is a pervasive problem that touches every business and organization in the modern digitized world today. It is much bigger than any single organization, and the only solution is one that includes widespread adoption and application on a global scale.
It is unfortunate, but the new third-world economy is cybercrime. We are living and operating in a time where anyone with access to a laptop computer can freely teach themselves how to launch damaging cyberattacks against a global backdrop of potential victims. In many cases these illegal activities provide a higher rate of return than traditional means.
Based on the latest breach data, below are some straightforward steps every healthcare organization should consider. Unfortunately security controls and countermeasures come with a price tag. Balancing business risks against the avalanche of cyberthreats is a tricky business and continually moving target. However, some fundamentals continue to be overlooked or not fully implemented that could significantly improve the protection of personal and healthcare data and information.
1. Encrypt all data at rest, including mobile devices. Most organizations are using HTTPS to encrypt Web sessions, so the focus needs to be directed toward protecting data at rest. By combining this approach with a tighter policy on where data can be stored, it will help reduce the volume of breaches linked to stolen and lost devices.
2. Increase the volume and frequency of employee awareness and education for cybersecurity to help employees detect anomalous and illegal behaviors of their peers. Don’t make this training and education painful, or people will tune it out. Find new and engaging ways to get people interested in doing the right thing.
3. Move beyond regulatory compliance requirements and think in terms of risk management as opposed to passing an audit. This includes understanding and quantifying relevant threats to assets and gaining a deeper understanding of the motivations of attackers. This process is ongoing and volatile.
4. Implement a proactive cyberthreat intelligence process that provides valuable insights into the current threat landscape and how this relates specifically to your organization. This information can be used to adjust security controls as well as increase the return on investment of security technologies.
5. Management must tighten up policies and procedures for storage of personal and healthcare information. It should not be acceptable in most cases for patient information to be stored on a mobile device, and if it is, then full disk encryption must be required.
6. Engage legal to go beyond regulatory requirements for third-party service providers. Implement a third-party risk assessment process that highlights deficiencies and weaknesses that could lead to damaging cyberbreaches.
7. Become active participants in healthcare related ISACs (information sharing and analysis centers) such as NH-ISAC (the National Health ISAC). Network with industry peers and share information.
I am in a unique position that affords me access to the latest cyberthreat information spanning all the leading industries. It is an unfortunate truth that cybercriminals tend to prey on the weak. Compared to more mature industries like financial services, healthcare organizations are more vulnerable targets, which is accounting for the change in tide.
For the first time I consistently see large quantities of healthcare-sourced patient personal information appearing in black markets on the dark web. The overwhelming majority of this information is being used to commit financial fraud. This translates into a tidal wave of unauthorized charges and loss of revenue for businesses. Because healthcare information is a rich source of personal and financial information, this trend will likely continue.
Continuing to do more of the same isn’t going to work for healthcare organizations when it comes to protecting patient data and personal information. In a world where every aspect of human life is being digitized, the proliferation of cyber-risks is sure to continue. It is going to require thought leadership and clear actions to turn the tide back in favor of law-abiding people.
Tim Layton is chief intelligence officer for SurfWatch Labs, a cyberthreat intelligence company based in Sterling, VA. Contact him at email@example.com.