Healthcare Organizations Twice As Likely To Experience Data Theft

  /     /     /  
Publicated : 22/11/2024   Category : security


Healthcare Organizations Twice As Likely To Experience Data Theft


Bad guys very willing to invest in attacking medical data, but healthcare not very willing to invest in defending it.



Healthcare institutions are twice as likely to experience data theft than other sectors, and already see 3.4 times more security incidents, according to a study released today by Raytheon and Websense.
Why is healthcare so popular with attackers? Perhaps because the balance sheet tips in their favor. Medical records are very desirable on the black market, because medical records, themselves, may be a treasure trove of PII, financial information, and insurance numbers.
The exact figures vary, but while basic
PII may run for just $1
on the black market these days, Jim Trainor of the FBI Cybersecurity Division told CBS News in February that PHI records can go from 20 say up to -- weve even seen $60 or $70. A new report released by BitSight today references a recent
report by NPRs All Things Considered
which found a value pack of just 10 Medicare numbers that sold for about $4,700.
Yet, security measures that ensure those records stay confidential can inhibit patient care -- or at least thats how it seems to some medical professionals. Nurses and physicians fully understand the importance of data availability, but when patients lives are on the line, data confidentiality takes a back seat.
According to the Raytheon Websense report, healthcare professionals have an increased tendency to try and get around IT security policy in order to better serve their patients and up to 75 percent of hospital network traffic goes unmonitored by security solutions out of fear that improperly configured security measures or alarming false positives could dramatically increase the risk to patient health or well-being. 
Outside of stock trading, I cant think of another industry where you have to err on the side of openness, says Bob Slocum, senior product marketing manager of data and endpoint security for Websense. Further, there is no other industry, he says, where an employee (like a doctor) can routinely trump a security policy.
The end result is that attackers are far more willing to invest in stealing medical records than healthcare institutions are willing to invest in protecting them from being stolen.
As the Raytheon Websense report references, the average healthcare organization only spends about 3 percent of its IT budget on security, even though HIMSS recommends they spend at least 10 percent. Bitsight reports that while healthcare has done a good job closing up those Heartbleed vulnerabilities (only 4.4 percent), its still wide open to FREAK (43.4 %) and POODLE (73.5 %).
Conversely, attackers will bring their best tools to bear. According to Raytheon and Websense, healthcare organizations are four times as likely to be hit with advanced malware -- particularly the CryptoWall ransomware (450% likelier), Dyre Trojan (300% likelier), and stealthy Dropper (376% likelier), which opens backdoors and drops other assorted payloads.
Healthcare is also 14 times as likely to be hit by the Andromeda botnet -- which has a particularly stealthy loader with anti-VM and anti-debug capabilities that can stay silent for months before it communicates with its command and control server, according to Raytheon and Websense.
Slocum says that he expected the numbers to be bad, and but not quite as astronomically bad as they were.
Plus, while outside attackers barrage them with malware, medical institutions also have malicious insiders to worry about. According to a
report released yesterday by Trend Micro
, healthcare has a larger insider leak problem than any other sector, attributing 17.5% of its breaches over the past 10 years to it. Insider leaks were the primary source of identity theft cases (44.2%) and healthcare was hit harder by identity theft than any other sector, accounting for 29.8% of cases.
The Bitsight report has declared healthcare the second-worst industry performer in data security, ahead of only education. According to Trend Micro, more than one-quarter (26.9%) of the data breaches reported in the past 10 years were in the healthcare sector.
And it isnt only an American problem; as the Raytheon Websense report cites, the U.K.s National Health Services has been fined £1 million for its data security transgressions.
Complexity contributes to the problem. Multiple hospitals, labs, imaging centers, and pharmacies in multiple locations share data and computing resources.
The complexity just increases as the early-adopting industry hooks more medical devices into the Internet of Things. As guests of
todays Dark Reading Radio episode on Fixing IoT Security
 remarked, one of the challenges of the IoT is installing software security updates -- something that is infinitely more complicated when the device needing the update resides within a patients body.
Slocum says he takes the issue to heart, being a diabetic himself, but that medical device manufacturers hes spoken to have been very proactive about security -- not only by inviting ethical hackers to try to break into their devices, but by securing their other systems extra carefully, knowing that any sort of breach would damage their brand reputation and thus peoples trust in their devices.
Slocum says theres some reason for optimism. He says that IT leaders in healthcare oganizations have been beating the drum and asking their CEOs for cybersecurity funding for years, to no avail; but since the Anthem breach, the conversation has changed.
I believe theyre going to get more [money] and executive support, he says. He recommends that they direct some of these funds to more unified solutions that can manage complex environments and to better end user awareness training.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Healthcare Organizations Twice As Likely To Experience Data Theft