The Verizon Data Breach Investigations Report 2012 (for 2011 data) is out, and although their methodology and sample does not include all the breaches that get reported to HHS or on DataLossDB.org, I thought their findings on the health care sector interesting. From their press release, here’s their overview of major findings:
Health Care
- Most of the breaches within the health care sector fell into the small to medium business category (one to 100 employees), and outpatient care facilities such as medical and dental offices comprised the bulk of these.
- Attacks were almost entirely the work of financially motivated organized criminal groups, which typically attack smaller, low-risk targets to obtain personal and payment data for various fraud schemes.
- Most attacks involved hacking and malware and often focused on point of sale (POS) systems. However, the health care industry also needs to protect medical devices and electronic health records.
- The majority of breaches can be prevented with some small and relatively easy steps, including change in administrative passwords on all POS systems; implementing a firewall; avoiding using POS systems to browse the Web; and making certain the POS is a PCI DSS (Payment Card Industry Data Security Standard) compliant application.
You can read or download their full report here, but I wanted to highlight that they found that most of the breaches they investigated were not extortion attempts but – similar to other sectors – criminals looking for low-hanging financial data for fraudulent purposes. They, too, then, see no compelling evidence that ransom is becoming a trend in the health care sector. This point is emphasized in their snapshot of the health care sector findings:
While blackmailing patients and hacking pacemakers are common hand-waving examples used by some to stress the importance of protecting medical records, the actual threat landscape is much more in line with run-of-the-mill cybercrime seen in other industries. The vast majority of attackers seek information from which they can directly or indirectly profit. This includes personal and payment information (including patient health and insurance data) used to supply organized criminal groups with what they need for all manner of fraudulent schemes.
This leads to two common patterns we see repeated throughout healthcare breaches: 1) attackers targeting point of sale (POS) systems and other assets in the payment chain, or 2) the physical theft and loss of devices (from which we may assume the value of the hardware is the intent). While protecting medical devices and records is a critical part of operating in the healthcare industry, organizations cannot lose sight of other assets being targeted by attackers.