Light Dark
June 14, 2016 By Derek Brink 3 min read
Healthcare

On the eve of 2016, IBM X-Force Security Research called attention to a shift in cybercriminals’ focus from retail to health care, and they warned of increased security risk in the health care sector. Halfway through the year, how have those predictions for health care security been playing out?

The Prognosis Was Correct

Unfortunately, it looks like the prognosis for higher risk of data breaches in the health care industry in 2016 was spot on. In terms of the likelihood aspect of health care security risk, at least, the evidence confirmed a definitive increase:

  • IBM’s interactive infographic of publicly disclosed data breaches revealed that the health care industry represents a steadily growing percentage of all data breaches. It has risen from 5 percent in 2013 to 8 percent in 2014, 9 percent in 2015 and 15 percent in the first half of 2016 (through June 1).
  • Similarly, the data breaches cataloged by the Privacy Rights Clearinghouse showed that as a percentage of all data breaches, the health care industry grew from 8 percent in 2013 to 14 percent in 2014, 15 percent in 2015 and 35 percent in the first half of 2016. Although these two databases are somewhat different, the general trend is very much the same.
  • From a slightly different perspective, Verizon’s annual Data Breach Investigation Report showed the percentage of security incidents in the health care industry that were investigated and were found to have resulted in confirmed data breaches (i.e., the disclosure of an information asset to an unauthorized party) jumped from 27 percent in 2013 to 60 percent in 2014 and 69 percent in 2015.

This regrettably accurate trend is visualized more easily in the following chart, keeping in mind that risk is properly defined as a function of both the likelihood of such things occurring and the associated business impact if they actually do occur.

By these and other measures, the likelihood factors of risk in the health care industry are on the rise.

Health Care Data Is Where Motivation Meets Opportunity

Cybercriminal behaviors with respect to the health care industry can be observed, but the full picture requires understanding their motivations and opportunities as well. The start-of-year analysis didn’t make many predictions in this regard, but it did provide useful insights that are still applicable just a few months later.

Motivation

Motivation for cybercriminals is certainly clear enough: Health care data is valuable. Medical records typically include names, Social Security numbers, dates of birth, financial information, employment information, insurance information, addresses, phone numbers, emails and more — all the things one would need to perform identity fraud, insurance fraud, tax fraud and so on.

The fact that health care data is even more valuable to cybercriminals than payment card information is by no means new. In the summer of 2013, underground market pricing for stolen health care data looked something like this, according to SecureWorks:

  • About $20 per record for health care credentials only, including name, date of birth and insurance information.
  • About $500 for fullz, which are electronic dossiers of credentials for a particular individual, compiled and packaged with other personally identifiable information to facilitate identity theft and fraud.
  • Between $1,200 and $1,300 for kitz, which include custom-manufactured physical credentials (e.g., insurance card, Social Security card, driver’s license, credit card) and documentation related to identity data to provide a complete, ready-to-use identity theft kit.

A more recent trend is the upswing of ransomware attacks on the health care industry. There have been scenarios where patient records are compromised and encrypted, and then cybercriminals demand a payment in exchange for giving the health care organization its own data back. Even cybercriminals gravitate toward instant gratification.

Read the IBM X-Force research report: Security trends in the healthcare industry

Opportunity

Opportunity for cybercriminals is perhaps the most disturbing aspect of the diagnosis. Security-related threats and vulnerabilities abound in the health care sector, touching everything from mobile apps and cloud-based records to connected health care devices and the internet of (medical) things, to name a few. The rate of implementing these desirable capabilities and features is vastly outpacing the ability to make deliberate, risk-based decisions about security.

What We Can Do About Health Care Security

Fortunately, sensible steps for reducing the opportunities for attackers are reasonably well-understood. For example, stronger identity governance and more effective use of data and analytics can help organizations in the health care industry lock down data.

Ultimately, however, this is not really a technology issue but a fundamental business issue. The modern health care organization needs to be aware of its risks, develop a security strategy for how much risk it’s willing to accept and invest in a more mature set of capabilities for linking strategy with execution. We can predict with confidence that unless the organization’s leadership does this, symptoms will only continue to grow worse.

 |  | 
Derek Brink
VP & Research Fellow, IT Security and IT GRC, Aberdeen Group

More from Healthcare
January 30, 2025

When ransomware kills: Attacks on healthcare facilities

4 min read - As ransomware attacks continue to escalate, their toll is often measured in data loss and financial strain. But what about the loss of human life? Nowhere is the ransomware threat more acute than in the healthcare sector, where patients’ lives are literally on the line.Since 2015, there has been a staggering increase in ransomware attacks on healthcare facilities. And the impacts are severe: Diverted emergency services, delayed critical treatments and even fatalities. Meanwhile, the pledge some ransomware groups made during…

October 29, 2024

Why safeguarding sensitive data is so crucial

4 min read - A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.The breach, first reported by WIRED, involved PII, such as patient names and addresses,…

September 26, 2024

Ransomware on the rise: Healthcare industry attack trends 2024

4 min read - According to the IBM Cost of a Data Breach Report 2024, the global average cost of a data breach reached $4.88 million this year, a 10% increase over 2023.For the healthcare industry, the report offers both good and bad news. The good news is that average data breach costs fell by 10.6% this year. The bad news is that for the 14th year in a row, healthcare tops the list with the most expensive breach recoveries, coming in at $9.77…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature