Attacks/Breaches
5/7/2015
06:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Healthcare Data Breaches From Cyberattacks, Criminals Eclipse Employee Error For The First Time

New Ponemon Report reveals just how hot healthcare data is for hackers.

Cybercriminals and nation-state actors are indeed targeting healthcare organizations for their valuable data:  cyberattacks and physical criminal activity now have officially surpassed insider negligence as the main cause of a data breach in healthcare organizations.

The Ponemon Institute's new Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, published today, found that close to 45% of all data breaches in healthcare are due to criminal activity such as cybercriminal and nation-state hacks, malicious insiders, and physical theft, a 125% increase in such activity over the past five years. That's a first, since employee or insider negligence -- user errors, lost laptops and thumb drives, etc. -- accounted for the majority of breaches last year and in years past, according to Ponemon.

More than 90% of healthcare organizations surveyed by Ponemon in its report has suffered at least one data breach exposing patient data over the past two years, while 39% had been hit by two- to five breaches, and 40% had suffered more than five breaches during that timeframe. Security incidents (without an actual data breach) occurred at 78% of healthcare organizations.

About 45% of those breaches came via criminal attacks; 43% by lost or stolen computing devices; 40% via employee mistakes; and 12% via a malicious insider.

The cost of all of this healthcare breach-mania? Some $6 billion per year, with an average cost of $2.1 million per healthcare organization, according to the report, which was commissioned by ID Experts.

"For the first time, criminal attacks constitute the number one root cause [of data breaches], versus user negligence/incompetence or system glitches," says Larry Ponemon, chairman and founder of Ponemon Institute. "Ninety-one percent had one or more breach in the last two years, and some of these are tiny, less than 100 records, but they are still not trivial."

Healthcare organizations also are regularly battling security incidents, such as malware infections. Some 65% say they were hit with cyberattacks in the past two years, and half suffered incidents involving paper-based security incidents. They're not confident in their incident response capabilities, either, with more than half saying their IR isn't adequately funded or manned. And one-third don't have an IR plan at all.

Lost and stolen devices were a problem at 96% of healthcare organizations in the study, as was spear phishing (88%).

The report also surveyed business partners and associates of healthcare organizations. Nearly 60% of these businesses -- patient billing, claims processing, health plan, and cloud services, for example -- had been hit by data breaches, 14% of which had suffered two- to five breaches, and 15%, more than five during a two-year period. More than 80% of them were hit by Web-based malware attacks.

Rick Kam, president and co-founder of ID Experts, says the bad guys are going after healthcare records because they are so valuable. While a stolen credit card can go for a dollor or less in the underground, a patient's pilfered health credentials can bring in as much as $10, according to some experts.

"Data breaches like Anthem's are rare events," Ponemon says. "The types here [in this report] are mostly smaller-sized breaches."

The bad guys are after insurance information for insurance fraud, as well as employee data from the healthcare providers. "We've seen a huge increase in" abuse of employee data, ID Experts' Kam says. "In the last month and a half, we've seen a 100% increase in tax fraud."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DungT593
100%
0%
DungT593,
User Rank: Apprentice
5/13/2015 | 9:40:23 AM
Malicious Insiders and Employees Negligence
What stuck out to me was the percentage for malicious insiders and employees negligence. These numbers can be related since an unattended and unlock workstation can be quickly attacked before the technician, nurse, etc. comes back. In big hospitals, trespassers can be a major threat. Automatic locking tools can add another level of security. 
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
5/7/2015 | 4:43:01 PM
I think it is time to re-think our security approach
I'm concerned that "close to 45% of all data breaches in healthcare are due to criminal activity," and "a 125% increase in such activity over the past five years."

With more stringent data security requirements and regular audits on the horizon, in addition to
increasing attacks on PHI data, organizations should act now to protect their data, before it's too late.

Ponemon Institute published another interesting survey related to the recent spate of high-profile cyber attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security.

Ponemon concluded that "This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification."

We are seeing a number of common issues across recent data breaches, stealing our most sensitive data, and I think it is time to re-think our security approach and be more data-centric.  It is critical to protect sensitive data wherever it is stored. Educating users is not enough and I think that policies should be automatically enforced.


Ulf Mattsson, CTO Protegrity.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/7/2015 | 12:24:25 PM
Don’t Rule Out Fear as a Security Tool
For larger health orgs who have had a large number of internal data breeches, I know from keeping an ear to the grapevine (I work in healthcare IT) that fear has as much to do with the lower numbers than employee awareness training.  Your job should be important to you as an individual regardless your moral compass, and there have been heavy penalties and punishment doled out to those who are intent on breeching patient confidentiality.  That punishment not only removes you from your job, but makes the next one difficult to obtain, too.  If you are serious about remaining employed and developing a solid career, it's a no-brainer that respecting a patient's right to privacy should be your daily responsibility. 

Personally, I feel patient awareness training should include a darker version of what can happen relayed through anecdotes to employees to reinforce this point.  Fear can really work in favor of InfoSec as a form of social engineering.  Sad, but true.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/7/2015 | 10:46:30 AM
Re: User Awareness Responsble?
I feel that you hit one of most quintessential security implementation issues. Small organizations normally do not have as much financial backing to implement strong security safeguards. This is a difficult paradox. You need to implement safeguards to secure the data and to save your organizations financial aspects (reputation, revenue, data), but don't have the financial backing to implement those safeguards.


That being said, there are definitley ways to sure up security w/o breaking the bank.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/7/2015 | 10:41:05 AM
Re: User Awareness Responsble?
Ah, good perspective on that, Ryan. Thanks. The study didn't drill down into the reasons behind it, but a lot of the orgs getting hit were smaller ones, Ponemon said. And my guess is they weren't doing much in user awareness training.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/7/2015 | 10:39:18 AM
Re: User Awareness Responsble?
I would have to lean in that direction as well. However, the healthcare network I worked for implemented user awareness on an onboarding and yearly process. I would think for the large healthcare organizations that they would follow a similar approach.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/7/2015 | 10:37:15 AM
Re: User Awareness Responsble?
I'm not sure healthcare has been at the leading edge of user education, so my gut is that it's more the bad guys have found a new soft target. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/7/2015 | 8:27:16 AM
User Awareness Responsble?
Many institutions have put great signifance into education and user awareness training in the past couple of years. Could it be that these principles could directly correlate to the decrease in user negligence? Or has the attack vector pivoted to where malicious attempts yield a much higher success rate of infiltrating companies?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Why else would HR ask me if I have a handicap?"
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.