And it’s not even close. Healthcare and medical breaches make up 42.6% of all breaches. The next closest contender is business at 32.7%, according to the most recent ITRC (Identity Theft Resource Center) report. The good news for this sector, if that is what you would call it, is that this figure represents the number of records exposed. It does not represent the number that was actually stolen. In fact, only 9.7% of these records were stolen, while businesses had 79.2% of their exposed records stolen.
There is a reason for this discrepancy. Healthcare institutions are heavily regulated by the government and must maintain some HIPAA (Health Insurance Portability and Accountability Act) compliance, though what this really means is a bit vague. In any event, if they do not meet certain security standards, which includes reporting potential exposure of patient data, healthcare institutions can be heavily fined. In fact, this happened this year when New York-Presbyterian Hospital and Columbia University Medical Center paid $4.8 million for exposing patient records back in 2010.
Businesses, on the other hand, have a little more freedom in reporting breaches. In fact, most information on exposed records or breaches probably go unreported for the simple fact that companies don’t want to look bad. Unless it is clear that substantial client or customer information has been compromised, you will probably never hear about the breach. This explains why so many reported business breaches result in stolen personal information.
All of this still does not explain why the healthcare industry is so attractive to hackers. A good way to answer this is to look at one of these hacks. From April to June of this year, Community Health Systems of Franklin, Tennessee, had 4.5 million patient records, including social security numbers, stolen by a Chinese-based hacking group. It was FireEye/Mandiant that traced the hackers to a well-known hacking team referred to as APT 18. This team has been around for a while and is known for stealing corporate data, blueprints, new drug information, and other such intellectual property. So why did they decide to steal the personal information of patients? Probably the best answer is, because they could. They may have been looking for intellectual property but found the medical records so accessible that they simply took them.
That’s not exactly good news for customers of healthcare organizations. It implies that they are easy targets for hackers. Indeed, the security firm, Websense, found a 600 percent increase in attacks on hospitals. As one expert noted, the reason hackers are focusing on hospitals is because, “they’re just so dang easy to hack.” They’re also considered as less risky targets and bring greater profits for the attackers. What else could a hacker ask for?
According to Kelly Yee, Vice President at Penango, the secure webmail and encryption company, hackers are willing to pay 20 times more for medical information than credit card information. This is because hackers can obtain personal information, social security numbers, and medical records. With this, they can apply for credit cards or gain access to prescription drugs. Besides, a hacker could get lucky and find information on new drugs that were being developed and then sell the information on to interested parties. For hackers, healthcare is a win-win situation.
And according to the Websense Security Predictions for 2015, the situation doesn’t look like it will be changing any time soon. Medical and healthcare is expected to continue being the most hacked sector. The fact that these institutions have so many connections to their networks makes it difficult for them to prevent hackers from using techniques such as phishing to compromise them and make off with sensitive data. Without good architecture that isolates important data from devices that may be compromised, we can expect more breaches, some of which may make the CHS breach seem relatively small.