High-profile data breaches in 2014 have exposed just how extensive - and expensive - cybercrime has become: it’s a billion-dollar industry with no shortage of targets, and no end in sight. But while 2014 was the annus horribilis of the business sector, experts are predicting that hackers will be turning their specific attention to the healthcare industry in 2015.
If the prediction is correct, healthcare bosses may need to swallow a bitter pill: the US-based Ponemon Institute’s latest annual global benchmark survey of 257 companies revealed that the average annualised cost of a data hack in the healthcare sector is $1.38 million (£0.9 million).
Historically, money-motivated hackers have concentrated on stealing financial data such as online banking credentials and credit card numbers i.e. details that directly lead to a source of funds.
Responding to the high-profile hacks of others, businesses which hold customers’ financial data are increasing their efforts to guard such payment instruments securely, and for obvious reasons – theft of customer data is hard to recover from, in terms of both monetary and reputational loss.
The added security measures not only make stealing such data difficult, they make using it more difficult. As a consequence, the exchange value of such data has dropped, prompting hackers to turn to the data-rich, but less-secure, health sector.
So, it is with a sense of gathering storm that infosecurity experts expect that 2015 will be the year of medical industry breaches.
Hackers are not simply attracted by the less-secure nature of the healthcare sector…it is an abundant source of personal data that is commanding high prices amongst the cybercriminal underworld.
Last year, 4.5 million personal records containing names and addresses, birthdates, telephone numbers and social security numbers were stolen after a network hack of America’s largest hospital operator, Community Health Systems (CHS). Both the patients and CHS can consider themselves lucky that the credit card, clinical and medical details were not thought to have been compromised.
And this year, Anthem Inc., America’s No. 2 health insurer, admitted to a breach of its 80 million record-strong database, resulting in investigations by authorities at both the state and federal level.
Stolen health records, with the detailed information they contain, can be used for the usual brand of identity theft and fraud, but with specific medical and clinical info, criminals can pose convincingly as patients in order to get prescriptions for controlled drugs which are then sold on the black market.
And if you know where to fence them, stolen healthcare records can be monetised fairly quickly; as to value, a name and address, with social and medical identity can sell for $20 (£13) apiece.
With database volumes like those at CHS and Anthem Inc., and the ever-increasing degree of digitised medical data, it’s no wonder that hackers are seeking to tap into the goldmine that is the healthcare sector.
Alerted by the wave of hacking incidents across other business sectors, health insurers and health service providers alike say they have been preparing for data breaches, with some looking to financial and defense companies for best practices, and even hiring hackers to break into their systems.
Whilst the healthcare industry may be late in coming to the party when it comes to the necessary tight rigours of successful infosecurity, they must know better than anyone the concept of prevention being better than cure.
Which is why their cybersecurity plans need to cover everything from the most elementary of practices - enforcing an effective password management policy – up to the ultimate, but hopefully never used, data breach response plan...just in case.
There’s a tough road ahead, but recent findings of the not-for-profit Online Trust Organisation suggest that 90% of data breaches are preventable; this must surely offer the hope of a good prognosis for those healthcare companies that respond quickly and effectively to this new data security challenge.
If you are worried about your organization being the victim of a hacking incident, check out my free guide on How to Protect Your Company from being Hacked.