Health data breaches: Why size doesn't matter
Big breaches make for big news: Anthem, Heartland Payment Systems, Sony, Target, to name just a few. The causes of these big breaches are numerous: big data and information integration provide a larger attack surface, and criminals are becoming more adept at acquiring and exploiting personal information.
Security professionals, from CISOs and breach response managers to cyber-insurance carriers need to keep in mind that size is not the only factor that determines the potential impact and cost of a data breach. New threat actors and new agendas are changing the risk climate and complicating the tasks of breach prevention and response. For instance, the most recent Sony breach was perpetrated by a nation state solely to disrupt a company that was not aligned with the nation’s point of view, a motive that “surprised” the FBI, the agency’s Cyber Division Section Chief John Riggi said in his keynote address at the recent HCCA 2015 Compliance Institute in Orlando.
The new cybercriminals
A decade ago, data breaches rarely made national headlines, and the most common causes tended to be a lost laptop, insider theft, or small-time criminals stealing records with the intent to commit financial fraud. Now breaches make headlines almost weekly, and the stories show a whole new cast of threat actors turning to cyber-attacks to achieve more complex ends.
With the recent Anthem breach, for example, there was speculation that organized cyber-criminals may hold medical records for ransom, demanding payment for not releasing the information online or to other criminal groups. Criminals realize the value of these medical records. According to the FBI, credit cards will sell for between 50 cents and $1 each, but health information data, including name, DOB, policy numbers, etc., will sell for $60 to $70 for each data record. This creates an extraordinary financial opportunity for organized crime and adverse nation states.
A breach is a breach, no matter how small. In healthcare breaches, where lives can literally be at stake, no provider of any size can afford to ignore a threat of compromise to patient medical records. Small to mid-sized data breaches have just as much risk and potential exposure as their bigger counterparts.
Sizing up the risks
As the risks from data breach have evolved, responses need to evolve as well. For years, the wisdom has been that the biggest breach risks are identity theft from compromised personal information, lost business due to customer defection, and possible regulatory fines if the organization is found to be out of compliance. If the breach was large enough to meet regulatory requirements, the proper response was to report it, provide credit monitoring for the affected customers, and mount a good PR effort.
Today’s breaches present more complex risks. For example, no longer content with credit monitoring, breach victims are now bringing lawsuits and winning. A group of Sony ex-employees have brought seven federal class-action lawsuits and two state court claims blaming the breach of their personal information on negligence. Last year, the West Virginia Supreme Court ruled that health care breach victims have standing to sue, and the first class-action suit related to the Anthem breach began preparations within hours after the breach was announced, quickly followed by several more. Settlements in even individual medical identity theft cases could run to millions of dollars, enough to put a mid-size provider out of business.
Damage to business relationships is also not a factor of breach or company size. Middle-market organizations can have data breach risk exposure that is just as high as Fortune 500 companies, when it comes to the value of their data assets and their potential for becoming targets of cyber-criminals. Regional insurer Premera Blue Cross is facing five class-action suits over a May 2014 breach resulting from a cyber-attack. An 18-bed county hospital in Illinois made news in December when hackers threatening to make 12,000-plus patient records public unless the hospital paid a ransom.
Coming out fighting
This year marks the beginning of a new era in data breach risk. Corporate employee negligence and for-profit hacking is giving way to offshore organized crime and state-sponsored cyber-terrorism. Cyber-criminals are transitioning from targeting retailers and others where credit and financial information is available to higher value targets such as healthcare and other industries with vulnerable customers and high-value intellectual property. Those responsible for privacy and security, from the board and executive level to insurers, need to be better informed and prepared, thinking beyond size to the multi-faceted risks to their organizations, customers, and careers entailed by data breaches.
When risks were primarily a function of breach size, the largest organizations—those holding the most data, and, presumably, those with the biggest response budgets and cyber-insurance policies—tended to be the most likely targets. With new threat actors and agendas, mid-size organizations are becoming targets because of the valuable information they hold. And mid-sized organizations may not have the security resources or insurance coverage of a Target or Sony. Risk assessments and preparation are key to mitigating the impact of future breaches, both for the businesses themselves and for their cyber-insurance providers. As Mark Twain said, “It’s not the size of the dog in the fight, it’s the size of the fight in the dog.”
In the new breach landscape, every information stakeholder must be ready to come out fighting.
Rick Kam is president and co-founder of ID Experts.