Cybercriminals Target Healthcare for Higher Returns

Healthcare is a major target for cybercriminals as medical information is 10 times more valuable in the black market, a report says.  According to the 2015 report, the healthcare industry sees 340 per cent more security incidents and attacks than the average industry.

The proliferation of electronic health records creates a data-heavy environment, while networks comprising thousands of providers present an enormous attack surface.  The report said one in every 600 attacks in the healthcare sector involves advanced malware.

Also, the sector is 74 per cent more likely to be impacted by phishing schemes as lack of effective security awareness training and employee security awareness programs often compounds the danger of increased attempts, resulting in more security incidents.

Many health organizations lack budget and administrative, technical or organizational skills that are necessary to detect, mitigate and prevent cyber-attacks, advanced malware.  This presents a significant threat to healthcare infrastructure, the report said.

The rapid digitization of the healthcare industry, when combined with the value of the data at hand, has lead to a massive increase in the number of targeted attacks against the sector.  While the finance and retail sectors have long honed their cyber defenses, research illustrates that healthcare organizations must quickly advance their security posture to meet the challenges inherent in the digital economy - before it becomes the primary source of stolen personal information.

HealthCare Security

Healthcare Security: Moving Forward

Following the recent data breaches, data security is back in the national spotlight. Healthcare data breaches not only create financial vulnerabilities for companies and consumers, but they can also pose serious medical threats due to tampered medical histories of affected patients.  While healthcare data breaches have not received as much media attention, healthcare breaches could potentially have much greater personal affect than hacks perpetrated in other industries.

What Makes Healthcare Data so Vulnerable?

Although data breaches in any industry pose great threats, healthcare data breaches have the potential to inflict greater financial and personal consequences on clients and companies. Here are some of the main concerns when it comes to healthcare breaches.

1. Health companies face unique challenges in transferring health records securely.

Many healthcare companies are still inexperienced in upholding and maintaining the secure transfers of their Electronic Health Records (EHRs), and subsequently their records may be more vulnerable. While these healthcare companies may have the necessary technology to create secure records, others are still inexperienced in the necessary security practices to withstand trained hackers.

2. Healthcare companies need to refocus their infrastructure to protect against breaches.

Many healthcare companies are still learning how to protect and prevent against data breaches. Unlike credit card companies and banks that have established measures of quickly recognizing fraudulent activity and putting a stop to it, healthcare companies can take months to notice errors—if they notice them at all.

Cybercriminals tend to think of healthcare organizations as soft targets. Historically, they haven’t invested much in IT, and security specifically. Knowing that healthcare companies are seen as easier targets should give these companies the necessary motivation to improve their security practices.

3. The consequences of healthcare breaches are much more severe.

While the consequences of identity theft can be expensive and frightening, the impact of healthcare data breaches are often more expensive and may even have the potential to be lethal. According to estimates found in CSO’s recent article, “The average profit [for healthcare identity theft] per record is $20,000—compared to just $2,000 for regular identity theft.” This estimate is just one of the reasons that healthcare data breaches pose more threats to individuals.

In addition to the financial threat, many hackers of healthcare records are tampering with these medical records in order to make a higher profit (mostly through the reselling of prescription drugs). While the consequences of hacks related to accessing and selling drugs seem obvious, there is also potential for these hacks to lead to life-threatening changes on medical records (including past surgeries, allergies, and drug interactions) posing a great threat to your medical care in an emergency.

What Can Healthcare Providers Do?

Healthcare companies have sometimes neglected to deploy even the most basic enterprise security measures. Without proper security checkpoints, these companies make themselves more vulnerable to hacks and potentially put their clients’ most important data (social security numbers, medical records, credit card information) at great risk.

Calling All Healthcare Organizations

The healthcare industry is generally about 10 years behind the financial services sector in terms of protecting consumer information.  This severe security lag causes healthcare organizations to lose credibility and client trust—not to mention the immense financial costs of devastating attacks.

In order to avoid these attacks in the future, healthcare organizations must take this opportunity to begin prioritizing better security practices and improve the face of healthcare security from here on out.

A Primer on Risk and Security Awareness

We talk a lot about human risk in the world of security awareness, but rarely have I seen it defined, especially at a high level that anyone can understand. As such, I wanted to take a step back and give you a simple overview of what exactly risk is, and the role security awareness plays in enabling organizations to manage it.

1. Security: Let's start with the basics, what exactly is security? Simply stated, security is managing risk.
2. Managing: So, what do we mean by managing? There are three ways you can manage risk; you can reduce risk, you can accept risk or you can transfer risk (insurance). Security vendors help you reduce risk. Acceptance of risk is primarily an internal process, while transfer of risk is an entirely different field (insurance). One thing you can never do is eliminate risk.
3. Risk: So what is risk? At the most general level risk is defined as the probability of an incident times the harm of an incident. The greater the likelihood something bad will happen, the greater the risk. The greater the impact from an incident, the greater the risk.
4. Cyber Security Risk: In the world of cyber security we use the same model but break it down one-step further. Specifically we define risk as Vulnerabilities x Threats x Impact. Its the same model, all we did is break down probability into two variables, vulnerabilities and threats. The more vulnerabilities you have, the more likely you will have an incident. The more threats you have, the more motivated they are, the more skilled they are, and/or the more resources they have the more likely you will have an incident.
5. Security Awareness: So where does security awareness fit in? Security awareness is the specialty of managing human cyber risk. Instead of using technology to manage risk, we leverage employees. Keep in mind, security awareness does not only address deliberate threats but also accidental threats, in other words trusted employees and staff that accidentally cause harm.
6. Behaviors. So what do we train people on, how does security awareness manage human risk? By changing peoples' behaviors. Through behavior change you can reduce any one of the three variables that create risk. For example, teach people how to identify a phish, they become less vulnerable. Teach people how to spot an insider, you reduce threats. Teach people how to use encryption, you reduce impact. The goal of awareness is to reduce human risk, and we do that by changing peoples' behaviors.
7. Culture: Where does culture fit in to this? Culture is not just how people behave, but their attitudes, perceptions and norms. This is not only more difficult to change, but more difficult to measure. Ultimately you want an organization that has both secure behaviors and secure culture. However focus on behaviors first. Not only are behaviors easier to change and easier to measure, but changing behavior is the path to changing culture. Finally, just because an organization has a secure culture does not mean it has secure behaviors. For example, you can have employees who believe and understand that security is important, so they focus on locking the front door to the building while happily sharing passwords with the person from 'tech support' on the phone.

So there you have it, a short, simple primer on what security awareness is and the role it plays in helping organizations manage risk.