A Visa card with a magnetic stripe or chip will earn a hacker only $12. By comparison, the depth of information in an electronic health record (EHR) has it priced at up to $50 on the black market.
“Cybercriminal Christmas” is what digital security company ThreatMetrix is calling Christmas 2015 for all industries. The run-up to the holiday has “yielded record numbers in attempted attacks,” says Vanita Pandey, senior director, strategy and product marketing for the company.
Health care security a science experiment, says expert
Confidence levels in the readiness of health care industry specifically have not been improved by recent findings from Citigal. The software security consultants have included health care companies for the first time in their software security measurement tool, BSIMM. The tool studies how organisations run their software security programs in-house. It benchmarks them so organisations can measure their program’s maturity against those of other organisations.
Citigal found health care is lagging behind other organisations in all four domains it evaluates: intelligence, governance, deployment, and SSDL touch points.
“Like a science experiment that escaped the test tube” is how Citigal’s CTO, Gary McGraw, characterises health care security. “When HIPAA came out, it got health care organisations to start thinking about patient privacy and protecting patient data. And when they did that, they thought they were done.”
Researchers at Forrester agree. Forrester analyst Stephanie Balaouras describes health care companies as “woefully behind in preparedness.” The focus, she agrees, has been on achieving HIPAA compliance rather than overall privacy. It has been done begrudgingly and at the lowest possible cost, she says.
Threats to watch out for this Christmas
Low-and-slow botnet attacks
Web attackers are becoming more sophisticated as they work to evade existing protections. They are deploying low-frequency attacks using botnets designed to avoid detection because they do not trip rate- and security-control alarms.
Roughly six percent of the attacks detected by ThreatMetrix this year involved fraudsters replaying stolen identities by spoofing devices.
Criminals are getting better at stitching together the various aspects of consumer data made available through different breaches. They use them to open new accounts, steal payment information and take over customer accounts.
Another common way to spoof identity is to hijack user sessions with malware or Man-in-the-Middle attacks.
Forrester is predicting that in 2016 hackers will release ransomware for a medical device or wearable.
Three things to fix fast
Forrester’s advice to health care companies is:
- Introduce two-factor authentication for access to databases of EHR
- Use behavioural analytics to identify suspicious behaviour
- Accept that identity protection is no longer good enough