Cybercrime Hacking in Healthcare. How Does Your Security Compare?

Cybercrime hacking of healthcare organizations reached headlines in 2015 with several of the biggest data breaches of 2015 impacting healthcare organizations. These kinds of breaches have been eclipsed in 2016 to some extent by ransomware. However, hackers continue to be attracted to cybercrime hacking by the multiple and lucrative ways to monetize healthcare data including financial fraud, medical claims fraud, prescription fraud, or selling the data on the digital black market. Healthcare organizations are also often seen as soft targets with security lagging behind organizations in other industries such as financial services.

Breaches are top of mind in healthcare as far as security and privacy, and preventing cybercrime hacking breaches is one of the highest priorities for most healthcare organizations. This is because these kinds of breaches target the backend databases of healthcare organizations that contain all the patient records. The business impact of a breach is proportional to the number of records breached, so if all the records are breached then that can be a very large business impact, typically costing on average $355 per patient record according to the 2016 Ponemon Cost of a Data Breach Study. This study also shows healthcare has high abnormal churn rate with 5.3% of patients leaving a breached organization. As breach notification laws become more pervasive globally, healthcare organizations are increasingly compelled to disclose breaches including cybercrime hacking, driving the business impact.

In this type of breach an external hacker accesses the healthcare organizations network and steals sensitive patient information which they extract and monetize. A common example of this type of breach starts with the hacker ‘spear- phishing’ a healthcare worker, resulting in that worker clicking on a malicious link, and leading to a drive-by download of malware. The malware then proliferates inside the healthcare networks intranet and key logs the worker’s usernames and password credentials. In this kind of breach, hackers especially like high privileged database administrator credentials. Once the malware obtains these credentials it logs into the database containing sensitive patient data and exfiltrates this data "low and slow" to evade detection. Often this type of risk goes undetected for several months or even years. The longer it goes on the more patient records compromised. The more records compromised, the higher the business impact.

While many healthcare organizations try to transfer this risk using cyber insurance, this alone is not sufficient due to policy loopholes, high deductibles, and cyber insurance providers getting smarter about vetting the security of healthcare organizations before they grant policies. Cybercrime hacking attacks can also cause business impact higher than $100M USD and can exceed typical cyber insurance policy limits.

Compliance with regulations, laws and standards is important, but increasingly organizations realize they need to go well beyond basic regulatory compliance to effectively mitigate risk of breaches, and they are motivated up to the board level with the strong desire to not be the next breach or cybercrime hacking victim and headline. No organization wants to be “at the back of the herd” or “low hanging fruit” for attacks such as cybercrime hacking. However, it has been difficult in the past for healthcare organizations to measure or benchmark their breach security against the rest of the healthcare industry. It is one thing having a gap in your safeguards if everyone else has that gap. However, if you have a gap and most others don’t then you could be relatively vulnerable to an attack that exploits that gap.

Intel Health and Life Sciences and several industry partners are currently conducting complementary, confidential breach security assessments for provider, payer, pharma and life sciences organizations globally. Through this quick one hour engagement healthcare organizations are able to benchmark their breach security across 42 safeguard capabilities and 8 different types of breaches, including cybercrime hacking, to see how their breach security maturity, priorities and capabilities compare with the rest of the healthcare industry. This enables organizations to see if they may be lagging in maturity, over or under prioritizing breach risks, what percentile they are in terms of readiness for various breaches, and any significant gaps and opportunities for improvement they may have.

I often hear from healthcare organizations that this enables them to compare their breach security with the rest of the healthcare industry in a way not possible before, and the results of this engagement provide a valuable tool they can use to rally support from their stakeholders for allocating budget and resources necessary to address gaps identified.

To find our more, see a sample breach security benchmark report, and engage see Intel Breach Security Assessment Program.