It seems like the breach cycle goes in full circles.
When data breaches began to make the news, the health care industry was hardest hit. Eventually, attacks against the health care industry, while they didn’t disappear, moved off the headlines in order to make room for breaches against the financial industry and retail and entertainment. But then came the Anthem breach, and now the announcement that Premera Blue Cross was hacked, with possibly millions of customers’ medical data exposed. I wouldn’t be surprised if we saw a flurry of news on health care-related attacks in the coming months, either.
The reasons are simple. First, health care organizations hold so much data that is valuable on the black market. You are looking at names, birthdates, addresses, Social Security numbers, insurance numbers, medical records and more. As Cameron Camp, a security researcher with ESET, wrote in a blog post:
If an attacker can harvest name, social security number, phone, address, email and the like, that haul has a much wider potential audience than, say, whether or not a patient underwent a specific medical procedure. A stolen medical record containing a lot of detail may sell for a lot of money, but that market is more specialized than the broader market for general identity data.
Secondly, the health care industry is lax when it comes to security. Last spring, BitSight released a report that found that the health care industry showed serious signs of lagging security effectiveness, with a worse average rating than the retail industry, including a high volume of security incidents and slow response times. The Premera breach is said to have occurred in May 2014 and it was announced this week. As BitSight's CTO and co-founder Stephen Boyer told me in an email:
With this incident, we know that the dwell time was close to 3/4 of a year at 269 days. In 2014, Verizon reported that the average organization took approximately 25 days to detect a breach, which is well beyond what it took Premera.
Finally, as Dave Frymier, CISO at Unisys, told me, too many organizations seem to only invest in cybersecurity after they are attacked, and few seem willing to invest to prevent the attacks in the first place. Is this what is happening within the health care industry? Or is it even worse? Are companies shrugging off a breach as a one-time event and then ignoring security practices? Anthem, after all, was hacked before, back when it was Wellpoint.
An IBM study found that over one billion records were leaked last year. If the health care industry is a prime target again, how much will those numbers go up in 2015?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba