2015 the Year of the Healthcare Breach? My God, they’re Right!



Cyber security experts have been warning that 2015 could be the year of the healthcare breach. The hack of Anthem Healthcare may prove them right.

Anthem Healthcare – one of the nation’s largest providers of health insurance – acknowledged last week that a “sophisticated cyber attack” on its network exposed data on 80 million of its customers.

The data breach is the largest so far in 2015 and just the latest in a series of breaches at prominent U.S. firms. In that sense, there’s nothing particularly surprising about it – and we don’t yet know enough about the attack, which is being investigated by the FBI – to draw many other conclusions about what happened (or didn’t happen).

What is notable about the attack on Anthem is that it comes on the heels of a number of warnings that 2015 will be a year of stepped up attacks on healthcare organizations. Just six weeks into 2015, those reports look prescient.

For example, the security firm Websense issued a report in December that said healthcare organizations are a “prime target for cybercriminals” in 2015. The reason: medical records hold a trove of useful information – from personal histories to financial data (like credit cards) that can facilitate identity theft.

Why healthcare organizations? And why now? That’s a question with many answers. Here are a few:

This isn’t anything new.

The best answer to explain the trend towards more attacks on healthcare organizations is that its not really a trend at all. Attacks on healthcare organizations have been part of the background noise of private- and public sector breaches from the very beginning. In fact, the number of records lost by healthcare organizations topped 30 million in 2014. But those incidents often haven’t garnered as much media attention. That has often been because they involved fewer stolen records. It makes sense that, next to the theft of data on tens- or hundreds of millions of Target Inc. customers, the theft of data on 4.5 million Community Health Systems patients looks ho-hum. Let alone the theft of data on 8,000 Tufts Health Plan subscribers or 27,000 patients at the University of Pittsburgh Medical Center. In short: mega breaches have made us jaded.

Obamacare

Another answer to the “Why healthcare?” and “Why now?” questions is that there is actually something new going on that makes the current environment particularly risky for healthcare organizations: Obamacare. The Affordable Care Act created massive new incentives for hospitals and doctor’s offices to migrate from paper record keeping to so-called “electronic medical records” or EMR and to join larger networks of providers, known as “Accountable Care Organizations” or ACOs, that can coordinate patient care.

These are good things and will open the door to vast, new efficiencies within the healthcare sector. But, in the short term, they also increase the risks of data theft and data loss. In fact, a 2014 report from The Ponemon Institute surveyed healthcare providers and found that 69 percent of organizations surveyed believed the ACA significantly increases (36 percent) or increases (33 percent) the risk to patient privacy and security. Their top concerns: insecure exchange of data between healthcare organizations that are part of ACOs and insecure storage of patient data on provider databases.

New Threats

The biggest change in the risk posture of medical organizations may have nothing to do with the organizations themselves. Rather: it appears that malicious actors, including both cyber criminal groups and state-sponsored hackers, have set their sights on healthcare companies. In the case of Community Health Systems, a publicly traded company that operates 206 hospitals across 29 states, an investigation of the 2014 hack that yielded medical records on 4.5 million patients suggested that the attacks originated in China. The Washington Post reported on Thursday that China is suspected in the attack on Anthem as well.

Why is that? There are many possible explanations: hospitals are rich sources of data on individuals. That’s a lure for cyber criminals interested in carrying out identity theft. And, while attacks on Point of Sale systems that dominated the headlines in 2014 are still a fact of life, more retail organizations are locking down those systems with each passing day, denying would-be attackers an easy target. Healthcare organizations may end up being the next easiest target.

So, while the risk posture of healthcare organizations may be no different this year than in the past, the focused attention of sophisticated adversaries on healthcare networks has greatly increased their risk – perceived or not.

You can agree with these assessments, or not. What is clear is that sophisticated adversaries have fixed their gaze on the healthcare sector. That means we’re likely to see far more incidents like Anthem Healthcare in the months ahead. And you can quote me on that!

About Paul Roberts

Paul Roberts (@paulfroberts) is the Editor in Chief and Founder of The Security Ledger (@securityledger).

Paul Roberts

Please post your comments here

Forrester DLP Maturity Grid

Use Forrester's data loss prevention maturity grid to assess your current DLP situation, evaluate technology options and map out your DLP strategy.

Get the report

Digital Guardian Case Study

A healthcare organization identified a significant risk of non-compliance. Deploying Digital Guardian resulted in an 85% reduction decrease in prompts to users in the first 6 months.

Read now

Related Articles
2016 Verizon DBIR: It’s All About the Benjamins, Baby

Since the beginning of the data breach era, which most often is pegged to the disclosure of the ChoicePoint compromise, security analysts have been looking for telltale signs of shifts in the techniques and motives that attackers are using. But after more than a decade of breaches and the collection of data about what’s caused them, what’s become clear is that there’s no magic or mystery behind it.

Hilton Was Fined $700K for a Data Breach. Under GDPR It Would Be $420M

Consider $2 per lost record versus $1,200 per lost record. That’s the difference between what Hilton will pay to New York State versus what it will pay to EU regulators once the GDPR takes effect in May.

Stand By Me

The Court has turned the Remijas v. Neiman Marcus Group, LLC. case into gold with its ruling; read this blog post to learn what the Court has done to do so.