Skip to content Skip to navigation

2015 Was a Year of Serious Data Breaches, Major Attacks and New Vulnerabilities, Report Says

April 21, 2016
by Heather Landi
| Reprints
Click To View Gallery

Healthcare was the most frequently targeted industry for cyber attacks in 2015, with the highest security incident rate, surpassing financial services and manufacturing, according to a new IBM Security Services report.

2015 was also a watershed year for healthcare information security due to another sobering fact—five of the eight largest healthcare security breaches since the beginning of 2010, those with more than one million records reportedly compromised, took place during the first six months of 2015, the report states. More than 100 million healthcare records were reportedly compromised last year.

“Packed with a wealth of exploitable information, electronic health records fetch a high price on the black market. They typically contain credit card data, email addresses, social security numbers, employment information and medical history records—much of which will remain valid for years, if not decades. Cyber thieves are using that data to launch spear phishing attacks, commit fraud and steal medical identities,” the report authors wrote.

IBM Security Services’ 2016 Cyber Security Intelligence Index report provides an overview of the threat landscape, including the type and volume of cyber attacks, which industries are most affected and factors enabling attackers.

Authored by members of the IBM X-Force research team, Nicholas Bradley, Michelle Alvarez, David McMillen and Scott Craig, the report is the result of IBM X-Force researchers analyzing cyber attack and incident data from IBM’s worldwide security services operations across more than 1,000 client organizations in 100 countries.

The same research team in last year’s report coined 2015 “the year of the healthcare breach,” and it proved to be accurate. The fact that healthcare shot straight up to the top spot in the security incident rankings in 2015 is noteworthy given that the industry wasn’t even in the top five in 2014.

In 2015, the average client organization monitored by IBM Security Services experienced approximately 53 million security events annually, 35 percent fewer events than clients experienced in 2014. And, the average client company experienced 1,157 attacks in 2015, down from 12,017 in 2014. However, according to report authors, that reflects “specific and continually optimized policy tuning on the part of security analysts” and the authors noted that the vast majority of security events can actually be designated as “noise” or extremely low priority traffic.

The average client company experienced 178 security incidents in 2015, up 64 percent from the 109 that were discovered in 2014.

Nearly half of security incidents in 2015 across all industries were the result of unauthorized access. Research data indicates that a vulnerability known as Shellshock was behind last year’s surge in unauthorized access attacks. In the report, unauthorized access attacks are defined as various types of attempts to break into a network, a server or a database, such as exploiting a vulnerability to inject command code into software, exploiting a backdoor or bombarding a system with random passwords in hopes that one will work.

According to the IBM X-Force research report, 60 percent of all attackers were carried out by “insiders,” or those with insider access to organizations’ systems, up from 55 percent in 2014. However, in this report, “insiders” included malicious insiders as well as inadvertent actors. An inadvertent actor might be someone who is duped in a phishing scam or lured into opening a malware-laden email attachment.

“Although the insider is often an employee of the company, he or she could also be a third party. That includes business partners, clients or maintenance contractors, for example. They’re individuals you trust enough to allow them access to your systems,” the authors wrote.

On a positive note, in 2015, the number of attacks carried out by inadvertent actors (one-third of the 60 percent of insiders) dropped from 2014 (one-half of insiders were inadvertent actors). The report authors note that a reduction in the number of attacks attributed to inadvertent actors could mean that “more organizations are implementing security policies and employee education—and that they’re doing a better job of communicating what’s expected and why it’s important.”

The report authors note that security leaders are realizing that neither “checking the box” to address compliance requirements, nor conducting annual penetration testing and incident response exercises are by themselves sufficient approaches. “Today’s CISOs and security leaders are now looking for fundamental ways to influence and improve both their own programs and established best practices—because they know that simply being compliant isn’t acceptable for a well-governed organization.”

The report also outlines a number of steps organizations should take to develop a strategic cyber security strategy program, beginning with prioritizing business objectives and setting the organization’s risk tolerance.

Information security leaders also should protect their organizations with a proactive security plan, which requires both technology and policy. Along with protection, security leaders and CISOs also should prepare a response to the inevitable, a sophisticated attack. “With the constant evolution of advanced persistent threats—and a growing presence of hackers intent on finding a vulnerability—it’s fairly certain that your organization may eventually fall victim to a data breach. Having a coordinated and tested incident response plan is critical at a time like this, as is access to the right resources and skills,” the report authors wrote.

In addition, security leaders should promote and support a culture of security awareness.



ONC National Coordinator Gets Live Look at Carequality Data Exchange

Officials from Carequality have stated that there are now more than 150,000 clinicians across 11,000 clinics and 500 hospitals live on its network. These participants are also able to share health data records with one another, regardless of technology vendor.

American Red Cross, Teladoc to Provide Telehealth Services to Disaster Victims

The American Red Cross announced a partnership with Teladoc to deliver remote medical care to communities in the United States that are significantly affected by disasters.

Report: The Business of Cybercrime in Healthcare is Growing

While stolen financial data still has a higher market value than stolen medical records, as financial data can be monetized faster, there are indications that there is ongoing development of a market for stolen medical data, according to an Intel Security McAfee Labs report.

Phishing Attack at Baystate Health Potentially Exposes Data of 13K Patients

A phishing scam at Baystate Health in Springfield, Mass. has potentially exposed the personal data of 13,000 patients, according to a privacy statement from the patient care organization and a report from MassLive.

New Use Cases Driving Growth in Health Data Exchange through Direct

In an update, DirectTrust reported significant growth in Direct exchange of health information and the number of trusted Direct addressed enabled to share personal health information (PHI) in the third quarter of 2016.

Insurers to CBO: Consider Private Insurers’ Data in Evaluations of Telemedicine

Eleven private insurers, including Aetna, Humana and Anthem, are urging the Congressional Budget Office (CBO) to consider the experience of commercial insurers when evaluating the impact of telemedicine coverage in Medicare.