Healthcare Industry Breach Vulnerability

Healthcare Data Breach
Healthcare Data Breach
You may not have noticed because of the amount of times the news talks about breaches in the retail sector, but the healthcare industry has recently become a favourite target for cyber criminals.

Three major breaches have already occurred in the sector this year exposing the data of over 93 million customers. The largest of these breaches happened to health insurer Anthem with BlueCross BlueShield also contributing to the damage.

Hackers have been preying on the weak control systems of unsuspecting companies in the healthcare industries. Because these companies typically don’t hold customer banking information, they don’t expect to be the target of a major cyber criminal attack. However, their propensity to carry social security numbers, income data and much more makes them very attractive targets for these sophisticated hackers.

The breaches this year are yet another example of the level of care that companies who store customer data need to take in order to protect themselves. Breaches in the healthcare industry are occurring regularly and without the expertise and assistance of Caerleon, these firms leave themselves wide open to a variety of risks including regulatory fines, lawsuits and damages to company reputation.

State Department Hack described as “The worst ever”

Following what experts have described as “the worst ever” cyber attack on a federal agency, the State Department (DOS) is soliciting Playbooks from the cyber security industry. The DOS intends to use these Playbooks in order to “put in place robust policies, frameworks, and doctrines to clearly guide both [proactive] cyber operations and response to cyber-attacks”.

 

Importantly, this announcement is a reflection that, when implementing cyber security protocols, focus must be paid to not only the response to a cyber attack, but also to proactive preparation needed to minimize the chances and impact of such attacks. In their announcement, the DOS stated that the Playbooks will include the “strategy, policy, and standards regarding the security of and operations activities encompassing the full range of threat reduction, vulnerability reduction, deterrence, incident response, resiliency, and recovery policies and activities, including computer network operations, and information assurance, as they relate to the security and stability of the DOS’s infrastructure”.

 

The idea of having a Playbook that will walk clients through every aspect of preparation and response for a cyber breach is at the heart of Caerleon’s methodology. Unlike others who view preparation and response as two separate calculations, we take the approach that both operate holistically together and are required in order to properly shield our clients from risk. Without preparation and a detailed plan that illustrates what must be done before, during, and after a breach occurs, the cost of a response will increase exponentially.

 

This is what the Caerleon playbook and our other services provide. Contact us now for more information about our holistic approach to breach preparation and response.

 

Community Health Systems Breach

In spring of 2014, Community Health Systems (CHS), an operator of 206 hospitals in the United States experienced a very large breach. The attack lasted for two months from April to June. The attackers are believed to be a foreign group and used a very sophisticated malware to steal information from hospital patients.

Data from 5.4 million patients was stolen including names, dates of birth, social security numbers, addresses, emails and much more.

This data had been sitting in the company systems for the past 5 years. Once the hackers were able to bypass the security systems CHS had in place using this malware, the data was theirs. This sensitive information can be used in a variety of forms when it reaches the wrong hands resulting in major costs for the company.

For CHS, the cost was between $75 and 150 million. These costs included remediation, regulatory fines, litigation, identity theft protection programs and more. A more complex breach prevention strategy and a more efficient response would’ve drastically reduced these costs for CHS. This is an important lesson for companies everywhere who are holding sensitive client information.


What Forms do Security and Privacy Breaches take?

A breach can happen because of many different factors. They can be intentional attacks or innocent mistakes. In 2014, cyber breaches were classified into nine categories. Below these categories are listed and a brief description of each one is provided.

POS Intrusions
Remote attack against the place where retail transactions occur, specifically where cards are used.

Crime ware
Malware infections within organizations that isn’t associated with more specialized classification patterns.

Cyber-Espionage
Thieves use computer networks to gain access to confidential information. Typically this crime is used to access high-profile information.

Insider Misuse
Employee with access to passwords and other security information abuses the access they’ve been privileged with, usually for personal gain.

Web App Attacks
Stealing info from customer devices and then logging into their web applications using these stolen credentials.

Miscellaneous Errors
Errors made by internal staff, especially system administrators, that lead to the exposure of private data.

Physical Theft or Loss
Devices in the workplace go missing and thieves are able to use them.

Payment Card Skimmers
Thieves put very thin skimmers inside the card reader slots and capture future customer data.

Denial of Service
A malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet.

The above incidents appear in order of the frequency that they occurred in 2014. POS intrusions were the most frequent attacks as retail outlets were targeted regularly.


A Breach Risk Misconception

The riskiness of a security or privacy breach is far more than just the number of records involved. There are countless examples of hospitals and hospital chains that suffered millions in losses because of breaches involving a small amount of records.

A great example of this risk just recently occurred. A large and well-managed chain of hospitals, with adequate protocols and controls was slapped with a multi-million dollar lawsuit. The highlight of this example is not the lawsuit itself, but the fact that the lawsuit stemmed from two different and unrelated 1-record breaches. One record was exposed to a party who it was not supposed to be exposed to and the result was millions of dollars in costs for this company. These costs are only related to litigation.

Several other tangible and intangible costs were incurred for regulatory non-compliance, reputational damage, firm disruption, etc. Firms that aren’t properly prepared to manage a breach leave themselves very susceptible to this risk.