Organized criminals scoped their sights on healthcare somewhere around 2012 and found that stealing patient data enabled them to monetize that information in a number of ways. Since then tactics have grown increasingly sophisticated and attackers are launching more attempts now than ever.
Perhaps coincidentally that’s also when the stream of lost unencrypted hardware began slowing down, said Kurt Long, CEO of application security specialist FairWarning.
“That’s not to say that laptops don’t still get lost, but the peak years for that were 2008-2012,” Long determined. “I don’t know that lost laptops were all that damaging. It could be in the bottom of the Hudson River. We don’t know where that data went.”
But since healthcare organizations have to publicly disclose those incidents, whether the information was actually exposed to criminals or not, the industry swallowed a steady diet of headlines about data breaches.
The era of targeted attacks, however, appears to be significantly more threatening — and it’s already upon us.
Healthcare organizations, in fact, have been hit by one hack per month during the last year, according to a Ponemon Institute study. Ponemon questioned 535 IT security professionals working at public, private and government healthcare organizations and found that the most common threat is attackers exploiting existing software vulnerabilities that are more than three months old. Newer vulnerabilities and spearphishing -- sending targets an email aiming to get them to click on an executable or other malicious code -- ranked second and third, respectively.
From the criminal’s perspective the beauty of these attacks is that they are relatively low-risk with a big potential to make plenty of money by using elegantly simple tactics, said Secure Ideas CEO Kevin Johnson.
“As much as I’d like to say it’s cool and magic, it’s really not. It’s basic IT cleanliness,” Johnson explained. “And IT cleanliness is not ingrained in healthcare.”
That fact paved the way for the years FairWarning’s Long described as an era in which organized crime squarely targeted healthcare, circa 2012-2015. By combing through public documents like court reports and reading indictments as well as interviewing Treasury Department officials, Long and colleagues showed that criminals are stealing patient records to commit medical ID theft but also to defraud the Internal Revenue Service by filing fake returns with the stolen information.
While those practices are not likely to vanish anytime soon, Long said the industry is already entering a new phase.
[Like Healthcare IT News on Facebook]
“The next wave is hacktivists and foreign nationals that want to expose some wrong they think needs to be righted as well as international crime syndicates with financial motivations,” Long said.
Long explained that typically the criminals seeking money are in Russia and eastern Europe, while the Chinese are after our state secrets or looking to blackmail U.S. ambassadors — and the hacktivists location is something we don’t even know because they could be anywhere.
Regardless of who perpetrates the attack, though, what’s on the line is trust.
“It’s the ultimate high stakes game because at some point if the trust breaks down between patients and clinicians such that people are afraid to share health information and withhold it instead because they don’t trust providers, that’s only going to escalate,” Long said. “This is a battle we have to win.”