The 2019 edition of the Cost of a Data Breach Report, sponsored by IBM and published by Ponemonis causing quite a stir in the cybersecurity world. The annual report, which draws its data from in-depth interviews with more than 500 global companies that experienced data breaches between July 2018 and April 2019, finds that not only are data breaches becoming increasingly common but that the cost of these breaches is rising and cybercriminals are shifting their target industries.
The report found that the healthcare industry, traditionally ignored by cybercriminals, experienced the highest cost per breach this past year.
Our leadership team and senior engineers have outlined their take on the report and why they think cybercriminals are targeting the healthcare industry.
Money & Personally Identifiable Information
Andrew Douthwaite (Chief Technology Officer) found it interesting that the healthcare industry had the highest cost per breach, but he was not surprised. As his colleague Garret Stanley (Senior Engineer and Attack Specialist) pointed out, healthcare is a rich cybercrime goldmine that is still relatively unguarded. Not only can cybercriminals use tactics such as ransomware to extort funds from healthcare providers and pharmaceutical companies, but healthcare organizations also hold vast stores of personal data which can be used for criminal purposes.
“Personally Identifiable Information (PII) is particularly valuable from a fraud perspective”, said Chris Storer (Senior Security Engineer). PII can be used for both prescription drug fraud and insurance fraud. Increasingly, cybercriminals are targeting PII, such as stolen insurance numbers and social security numbers. This personal information is also easier to use than credit card or bank information, as banks have increased their cybersecurity defenses in the last few years, making it more desirable and valuable.
Settling Instead of Fortifying
Malware, including ransomware, is an incredibly popular tactic among cybercriminals. As Michael Murdoch (Senior Project Manager) pointed out, electrical, power, and utilities infrastructure is also being increasingly targeted, but these industries are becoming wiser and fortifying their cybersecurity.
Garrett Stanley told us healthcare and pharmaceutical companies typically spend very little on IT infrastructure and cybersecurity, as compared to their overall budget. If these vulnerable industries continue to neglect their cybersecurity practices and infrastructure, they will continue to be disproportionately targeted.
When a healthcare organizations experiences a breach, it puts the personal data of Americans at risk, exposing them to unnecessary risk and eroding consumer trust. Breaches can also allow cybercriminals (including rival companies) to access proprietary data on drug patents and other sensitive information.
Unfortunately, as Matt Rutledge (Senior Project Manager) told us, most of the big healthcare companies have their compliance departments report to their legal departments. This fosters environments where companies are more likely to settle with affected consumers when a breach happens because it is cheaper and easier than addressing their cybersecurity shortfalls and forcing full technical compliance.
In fact, it is typically smaller healthcare organizations that are the most strict about compliance, and who typically not only meet the minimum for compliance but do whatever they can to fortify their cybersecurity defenses against breaches.
Brent Taylor (Professional Services Engineer) agrees. He has done extensive consulting work for both hospitals and doctor’s offices and has found that most compliance measures focus more on reporting than on actual cybersecurity measures. This is because these guidelines are not typically written by cybersecurity or network professionals, but instead by financial analysts and lawyers. The goal of these guidelines is not protection, but reporting, so even if an organization is fully compliant, their valuable data is not actually safer from cybercriminals.
The word “cybercriminal” typically conjures up an image of an angry loner in his basement, but the face of cybercrime is changing. Garrett Stanley feels that attacks on Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems will increasingly be state-sponsored. This is mostly because there are far easier ways for cybercriminals to extort money from unprepared organizations, making ICS and SCADA targets less appealing to cybercriminals looking to get rich.
However, all organizations need to remain vigilant. A cybercriminal only has to get past your defenses once to cause damage and steal private information.
Defending Healthcare Organizations Against Cyberattacks
Healthcare organizations need to be serious about their cybersecurity efforts and focus less on reporting and more on concrete defense measures. To help ensure your organization’s data is safe from breaches, you may want to consider enlisting the help of a Managed Security Services Provider (MSSP).
See also: Healthcare managed security services case study.
MSSPs are made up of teams of trained cybersecurity experts who will work with your organization to create a tailored cybersecurity solution to safeguard your company’s data against cybercriminals. A good MSSP will monitor your network 24/7/365 for suspicious or unauthorized activity, help you mitigate or even avoid damage if you experience a breach, and help train your employees to safeguard your organization’s digital assets better. They will also sit down with you after a breach has occurred and help you learn from the incident and learn from it so that you can better safeguard your valuable digital assets.