Data Breach Extortion: A Nightmare for The Healthcare Industry

Just last week thousands of Wendy’s locations were affected by a data breach that put customer credit card records into the wrong hands. When a data breach of this magnitude occurs, criminals begin extorting victims. Often the victims of data breaches will receive emails giving them the choice between having their personal information released or paying a ransom of 2 to 5 bitcoin (a digital currency worth about $250 to $1,200 USD). These emails have reached millions, and it is difficult to determine whether or not they’re lying.

Data breaches are on the rise, in McAfee Labs 2016 Threats Predictions Report it stated, “In 2015 we saw ransomware-as-a-service hosted on the Tor network and using virtual currencies for payments. We expect to see more of this in 2016, as inexperienced cybercriminals will gain access to this service while staying relatively anonymous.” Essentially, it is easier than ever for someone to extort you in exchange for your private information and never get caught.

The Healthcare Industry is a Major Target…

As of 7/5/2016, the Healthcare industry accounts for 33.7% of all data breaches and 34.2% of all personal records stolen in 2016. Though the media generally reports on data breaches at large enterprises, like Wendy’s, collectively those businesses give up only 19% of the total records stolen. The Healthcare industry has become a bigger target because they store more valuable information in their records: social security numbers, health information, home addresses, and more. The more sensitive the information, the higher cybercriminals charge.

Data breaches can occur in many different ways, and all can lead to the extortion of patients. Two-thirds of data loss or theft is caused by poorly managed IT Services. Portable device loss, insider leaks, stationary device loss, hacking/malware, and payment card fraud can all be resolved or improved by taking more responsible measures towards IT.

Here are the steps you should be taking to improve the safety of data at your healthcare facility:

• Separate personal employee data from patient-related data.

• Reduce the amount of data you store- the old, irrelevant data needs to go!

• Improve compliance- everyone should have responsibility for information security.

• Your internal IT or outsourced IT company should be dedicated to securing data (prevention), backing-up data (restoration, reduces downtime), and being HIPAA compliant.

Fig1
Figure 1. Breach methods observed in the healthcare industry. (From trendmicro.com)

If you must maintain HIPAA compliance and you haven’t had a network security assessment performed recently, call us today at 717-914-0102 or signup online for a FREE, no obligation network and security assessment.