Experian: Healthcare Orgs will Continue to be Heavily Targeted by Hackers in 2017 | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Experian: Healthcare Orgs will Continue to be Heavily Targeted by Hackers in 2017

November 30, 2016
by Rajiv Leventhal
| Reprints
Ransomware will remain a top concern next year as well

In its fourth annual “Data Breach Industry Forecast” white paper, Costa Mesa, Calif.-based security company Experian gives five data breach trends that are expected to unfold in 2017.

The report stated that while many companies have data breach preparedness on their radar, it takes constant vigilance to stay ahead of emerging threats and increasingly sophisticated cybercriminals. “While some tried and true attacks continue to serve as go-to methods for hackers, there are evolving tools and targets that are likely to become front-page news in 2017. Organizations can’t wait until an attack happens to ensure they are protected—they need to look at the signs early on to start preparing for new types of security threats,” the report said.

Regarding healthcare specifically, “The consequences of a medical data breach are wide-ranging, with devastating effects across the board—from the breached entity to consumers who may experience medical ID fraud to the healthcare industry as a whole. There is no silver bullet for cybersecurity, however, making good use of trends and analysis to keep evolving our cyber protections along with forecasted threats is vital,” said Ann Patterson, senior vice president, Medical Identity Fraud Alliance (MIFA).

As such, Experian has outlined five predictions for the data breach industry for next year. Last year at this time, for the healthcare sector, Experian predicted that big healthcare hacks will make headlines, but small breaches will cause the most damage. Looking back on that prediction, Experian gave itself a “B” grade for that estimation. It said, “In 2016, there were 181 reported healthcare breaches ranging in size from 500 to 3.6 million effected individuals. While several large breaches like Banner Health and 21st Century Oncology lost more than 5 million records combined, small breaches also had a large impact. Breaches impacting 200,000 people or less accounted for 96 percent of all healthcare related breaches and impacted 1,400,872 individuals.”

The 2017 anticipated issues include nation-state cyberattacks possibly moving from espionage to full-scale cyber conflicts and new attacks targeting the healthcare industry:

Healthcare organizations will be the most targeted sector with new, sophisticated attacks emerging. The healthcare sector may continue to be the focal point for hackers as medical identity theft remains lucrative and easy for cyber criminals to exploit. Personal medical information remains one of the most valuable types of data for attackers to steal, and cyber criminals will continue to find a market for reselling this type of sensitive information on the dark web. According to a report from IBM, more than 100 million healthcare records were compromised, making them a hacker’s top target.

Experian also anticipates mega breaches will move on from focusing on healthcare insurers, which served as a popular attack victim in 2015, to focus on other aspects of healthcare, including hospital networks. These more distributed networks present a ripe target for attackers as it is often harder to maintain security measures as compared to more centralized organizations. 

What’s more, of the potential sources for a breach, electronic health records (EHR) are likely to be a primary target for attackers. The portable nature of this information and the number of different entities and end-points that need access to them mean the potential for them to touch a vulnerable computer system is high. While there may be significant protections in place to secure them in transit, it only takes one compromised or outdated system to lead to exposure. Further, as more healthcare institutions deploy new mobile applications, it’s possible that they will introduce new vulnerabilities that will also be attractive targets for attackers.

Of the many threats healthcare organizations face, Experian predicts that ransomware will continue to be a top concern in 2017, particularly because a disruption of healthcare system operations could be catastrophic. Ransomware presents an easier and safer way for hackers to cash out; given the potential disruption to a company, most organizations will opt to simply pay the ransom. This has unintended consequences of funding more research and development by attackers who will in turn develop more sophisticated and targeted attacks. These new variants will likely be able to evade many of the security detection systems that were developed and are now widely deployed to stop the previous generation of attacks.

As such, as attackers shift their focus, an increase in hospital breaches means the consequences for healthcare organizations that don’t properly manage this risk will increase. Healthcare organizations of all sizes and types need to ensure they have proper, up to date security measures in place, including contingency planning for how to respond to a ransomware attack and adequate employee training about the importance of security.

Aftershock password breaches will expedite the death of the password. A new industry trend emerging this year, in 2017 Experian predicts “aftershock” breaches as companies are facing the impacts of previous data breaches. As more and more personal credentials are compromised, the risk for users may extend far beyond the initial breach as attackers continue to sell old username and password information on the dark web, sometimes years after the credentials were originally stolen.

As a result, companies that didn’t experience a first-hand data breach may see repeat unauthorized log-ins and be forced to notify their users that their information is being misused. This can be compared to an earthquake “aftershock” where the effects of an attack reverberate and are felt long after the initial disaster. Given the continued success of aftershock breaches involving username and passwords, Experian predicts that attackers are going to take the same approach with other types of attacks involving even more personal information, such as social security numbers or medical information. Experian advises companies to push toward using two-factor authentication to verify users, which helps solve the password reuse problem.

Nation-State cyber-attacks will move from espionage to war. Building upon last year’s prediction that cyber conflicts between countries are leaving consumers and businesses as collateral damage, there may be a clear evolution of these types of threats moving from espionage to active conflict and possibly war between countries.

In 2016, state-sponsored cyber-attacks came up during the U.S. presidential campaign. Both candidates were questioned about the U.S. potential response to the use of targeted cyber-attacks by foreign nations, and each candidate expressed that they would be in favor of using cyber weapons to retaliate against countries. Experian believes that cyber warfare attacks against the U.S. will continue in 2017, and with both presidential candidates taking such a strong and pointed position on how to respond, it predicts an escalation in cyber-attack conflict in 2017.

Read all of Experian’s data breach trends in its report here.

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

In Op-Ed, CMS Signals “New Direction” for Innovation Center, Issues Request for Information

In an op-ed in the Wall Street Journal on Tuesday, CMS Administrator Seema Verma said the Trump Administration plans to lead the Center for Medicare and Medicaid Innovation “in a new direction” to give providers more flexibility with new payment models and to increase healthcare competition.

ONC Seeking Feedback on Interoperability Standards Advisory

The Office of the National Coordinator for Health IT (ONC) is seeking comment on the Interoperability Standards Advisory (ISA) in advance of the 2018 Reference Edition publication.

Paragon EHR Users Divided on Impact of Allscripts-McKesson Deal

Among current users of McKesson’s Paragon electronic medical record (EMR) system, confidence about Allscripts’ future development of Paragon varies, with current Paragon users equally split on Allscripts ability to improve the technology, according to a new Flash Insights report released by KLAS Research.

Report: Threat Intelligence is “Essential” To Strong IT Security Posture

Amid growing concerns of large-scale cyber attacks, information technology (IT) leaders recognize the increasing importance of threat intelligence in the detection and mitigation of cybersecurity threats, yet organizations continue to struggle with insufficient expertise, data overload and inadequate threat sharing.

RCM Technology Companies Navicure, ZirMed Announce Merger

Healthcare revenue cycle management technology companies Navicure, based in Duluth, Georgia, and Louisville, Kentucky-based ZirMed announced last week that they have signed a definitive agreement to combine companies.

Survey: 1 in 3 Healthcare Consumers Lack Easy Access to Medical Records

A survey of more than 1,100 healthcare consumers found that 97 percent across all age and gender demographics are familiar with cloud technology, yet 31 percent cannot easily access their medical records and only half of those can access medical records online via their healthcare provider, according to a report from Ambra Health.