The healthcare industry will be a target for cyber attackers in 2017 while the nefarious practice of holding patient records for ransom will be an industry scourge, according to predictions by credit reporting firm Experian.
“Personal medical information remains one of the most valuable types of data for attackers to steal,” according to the 10-page report, the company's fourth annual data breach forecast.
Patient data is useful in both identity theft and in a more insidious variant, medical identity theft. The latter is when a person uses another's identity to obtain medical treatment, creating a double whammy by defrauding the victim's insurance company and muddling up the victim's medical records.
Hospital networks continue to be “a ripe target for attackers,” the report said, since data is spread over different networks, making it harder to defend than more centralized organizations.
Electronic health records systems within these organizations are likely to be cyber attackers' prime targets, since access to EHRs has become more “mobilized” with tablets and smartphones.
“As more healthcare institutions deploy new mobile applications, it's possible that they will introduce new vulnerabilities that will also be attractive targets for attackers,” the report authors said.
And there will always be at least one interested buyer of stolen patient records – the provider who created them and wants them back.
Ransomware practitioners often don't charge exorbitant amounts for the keys to the encryption algorithms they use to lock up a target's data and, in some cases, their software, too.
“Ransomware presents an easier and safer way for hackers to cash out: given the potential disruption to a company, most organizations will opt to simply pay the ransom,” the report authors said.
In February, officials at Hollywood (Calif.) Presbyterian Medical Center paid a relatively small sum, $17,000 in Bitcoin, for the release of their patient data and their multi-million dollar HIT system after a ransomware attack. But one well-known security industry firm, Symantec, Mountain View, Calif., estimated in 2012 that ransomware practitioners knocked down more than $30,000 per day in ransom payments world-wide.
Today, “it's probably more like $300,000 a day,” said Michael Bruemmer, vice president of Experian's data breach resolution unit, and it's made largely on volume. “The average payment is about 2 Bitcoins, or $670. It's really small amounts.”
The reason the public is not hearing more about them is because the victims don't talk.
“It's like an iceberg, where you only see 30% above the water,” Bruemmer said since many in healthcare industry remain quiet about getting hit.
According to Experian, while paying up might be expeditious for the individual healthcare organization, that could be detrimental in the long run.
Hackers could use the steady flow of ransom payments to fund advanced research and development, devising “more sophisticated and targeted attacks,” the report said.
Other top data insecurity trends listed in the report are predicted rises in so-called “nation-state” cyber attacks and “aftershock” breaches, the latter resulting from passwords stolen from previous breaches are used fraudulently log in to computer systems and wreak more havoc.