year of the healthcare security breach
TRANSCRIPT
© 2015 IBM Corporation
Security trends in the healthcare industry
Michelle Alvarez
Threat Researcher, Publisher and Editor
Managed Security Services
IBM Security
2015: Year of the Healthcare Security Breach
2© 2015 IBM Corporation
Today’s panelists
Lisa van DethContent Marketing Manager
Security Services
IBM Security
twitter.com/lisastweeting
linkedin.com/in/lisa-van-deth-03964
Michelle AlvarezThreat Researcher, Publisher and Editor
Managed Security Services
IBM Security
securityintelligence.com/author/michelle-alvarez/
linkedin.com/pub/michelle-alvarez/65/867/445
3© 2015 IBM Corporation
2015: year of the heathcare security breach
Attack types targeting the healthcare industry
Risks and factors in healthcare breaches
Priorities and potential actions for defense
Agenda
4© 2015 IBM Corporation
Healthcare and consumers alike are paying the price for this rise in healthcare breaches
The cost of a stolen record in a healthcare breach is $363 – 136% above the average1
Following a data breach, health and pharmaceutical companies face higher customer churn
than that experienced by companies in other industries1
2.32 million adults living in the United States indicated that they or close family members
became victims of medical identity theft during or before 2014, and 65 percent of them paid
an average of $13,500 to address the matter2
This surge is driven by the high value of protected health information (PHI) and electronic
health records (EHR) on the black market
Recent surge in hacks against healthcare institutions
12015 Cost of Data Breach study: Global Analysis, Ponemon Institute, sponsored by IBM: http://www-01.ibm.com/common/ssi/cgi-
bin/ssialias?subtype=WH&infotype=SA&htmlfid=SEW03053WWEN&attachment=SEW03053WWEN.PDF2 http://medidfraud.org/wp-content/uploads/2015/02/2014_Medical_ ID_Theft_Study1.pdf
5© 2015 IBM Corporation
Five of the eight largest
healthcare security breaches
over the last five years – those
with more than 1 million records
compromised - happened during
the first six months of 2015.
PHI data fields from those
breaches included emails, social
security numbers, banking and
employment information and
medical records
Despite a quiet second half of
the year, healthcare remains the
leading industry in terms of
records compromised
2015: year of the healthcare security breach
Healthcare security incident timeline. Source: IBM X-Force Interactive Security Incidents data (Jan 1
2014 – October 31 2015). Note: Data is a sampling of notable incidents and not a full representation of all
incidents. http://www-03.ibm.com/security/xforce/xfisi/
6© 2015 IBM Corporation
Healthcare ranked #1 in terms of
records compromised in the first 10
months of 2015
Accounted for nearly 34% of all records
compromised across all industries
This represents a significant increase
over previous years
Between January 2011 and December
2014 the healthcare industry accounted
for only .63% of all records
compromised
Nearly 100 million healthcare records compromised in 1H 2015
Source: IBM X-Force Interactive Security Incidents data Jan 1 2015 – October 31
2015. Note: Data is a sampling of notable incidents and not a full representation of
all incidents http://www-03.ibm.com/security/xforce/xfisi/
7© 2015 IBM Corporation
In almost half the healthcare breaches
sampled, the victim organization has not
to date disclosed exactly what type of
attack they sustained
“Physical” ranked second as most
prevalent attack type affecting the
healthcare industry
With phishing and malware accounting
for nearly 22% of disclosed attacks, the
impact of social engineering and the
inadvertent actor is significant
Undisclosed attack type: nearly 50% of healthcare breaches
Source: IBM X-Force Security Incidents data (January 1 2011 – October 31 2015).
Note: Data is a sampling of notable incidents for each year and not a full
representation of all incidents.
8© 2015 IBM Corporation
Analysis of IBM MSS data accumulated between January 1 2015 and October 31 2015
reveals some interesting findings about attacks against the healthcare industry
Prevalent attacks targeting the healthcare industry
Older and non-sanctioned
applications
Malicious documents
and sites
Shellshock
Brute force attacks
Fooling victims into opening malicious documents or
clicking on links to malicious sites
Number one attack vector, with 33% of attacks
involving these techniques
Almost 5% of this total involved attacks exploiting
file image and media player vulnerabilities
IBM MSS found many attempts to exploit a
vulnerability affecting VBScript, an active scripting
language not supported in Internet Explorer 11
Also found that healthcare industry organizations
use a number of applications which may not be
officially sanctioned by the organization
Uses an automated, repetitive method of trial and
error to guess an individual’s user name, password,
credit card number or cryptographic key
Number three vector at nearly 9%
Upward trend in brute force attacks targeting
account passwords1
1The Price of Loyalty Programs, IBM MSS Threat Research, http://www-01.ibm.com/common/ssi/cgi-
bin/ssialias?subtype=WH&infotype=SA&htmlfid=SEL03050USEN&attachment=SEL03050USEN.PDF
1 A vulnerability in the GNU Bash shell widely used
on Linux, Solaris and Mac OS systems
The number two attack vector, making up just over
16% of the attacks
Remains a significant and persistent threat across
all industries in 2015
4
2
3
9© 2015 IBM Corporation
Medical records have greater black market value than credit cards
It has been reported that an electronic health record (EHR) can bring 50 dollars1 versus
typically a few quarters or dollars for a credit card number. 2
Credit card data, email addresses, social security numbers, employment information and
medical history, including medical images, can open victims to spear phishing campaigns
Medical records are also highly prized for use in medical identity theft, a crime on the rise3
A playground for spammers and phishers
1http://www.medscape.com/viewarticle/824192?src=rss, 2http://www.npr.org/sections/alltechconsidered/2015/02/13/385901377/the-black-market-for-stolen-health-care-data3http://medidfraud.org/wp-content/uploads/2015/02/2014_ Medical_ID_Theft_Study1.pdf
10© 2015 IBM Corporation
Technology has helped the healthcare industry make great strides in the advancement of
care, but it can also pose increased security risk
Transforming business and introducing risk
Internet of Things Mobile health apps Security in the cloud
Vulnerabilities in medical
devices could be exploited
for financial gain, or to
cause injury or death
Theft of data via medical
devices has occurred, and
is also a risk
A 2013 study found there
were 97,000 mobile health
applications in major app
stores1
mobile applications in the
hands of both consumers
and medical staff can be
attack entry points
A growing number of
healthcare organizations
are using software as a
service (SaaS) in the cloud
Health information
exchange (HIE) systems
are increasingly cloud-
based
1 http://research2guidance.com/the-market-for-mhealth-app- services-will-reach-26-billion-by-2017/
11© 2015 IBM Corporation
Migration to newer versions of an operating system or web browser requires time and
money, and a lack of funding may be one of the fundamental obstacles
Also, healthcare companies may still use heritage processes without updating security
practices around them such as keeping paper copies of records or not encrypting PHI
Legacy systems and processes, lack of funding
1 http://www.himss.org/News/NewsDetail.aspx?ItemNumber=285042 http://www-03.ibm.com/industries/ca/en/healthcare/documents/IDC_Canada_Determining_How_Much_to_spend_on_Security_-_Canadian_Perspective_2015.pdf
The ideal spend on
security is
of the overall IT budget2
13.7%
Nearly half of healthcare
organizations surveyed spend
of their IT budgets on security1
3%or less
12© 2015 IBM Corporation
Where to focus limited funds
Ensure a full-time CISO is on board to guide strategy and budget
Put an incident response plan (IRP) and response team in place
Review medical devices for security issues
Encrypt, encrypt. And implement other data protection methods
13© 2015 IBM Corporation
This and other IBM® X-Force® threat research reports can be downloaded here
Getting the complete picture
About this report
This IBM X-Force report was created by the IBM
Managed Security Services Threat Research group, a
team of experienced and skilled security analysts working
diligently to keep IBM clients informed and prepared for
the latest cybersecurity threats. This research team
analyzes security data from many internal and external
sources including event data, activity, and trends sourced
from tens of thousands of endpoints managed and
monitored by IBM for Managed Security Services
accounts around the globe.
14© 2015 IBM Corporation
IBM offers key security services to help you address these challenges
How IBM can help
IBM Security Framework and
Risk Assessment
IBM Incident Response Planning
IBM Managed Security Services
IBM Emergency Response Services
Assess
Plan
Respond
Manage
15© 2015 IBM Corporation
133 countries where IBM delivers
managed security services
24 industry analyst reports rank
IBM Security as a LEADER
TOP 3 enterprise security software vendor in total revenue
12K clients protected including…
22 of the top 29 banks in Japan,
North America, and Australia
Where you can learn more
Visit our web page
IBM.com/Security
Watch our videos
IBM Security YouTube Channel
View upcoming webinars & blogs
SecurityIntelligence.com
Follow us on Twitter
@ibmsecurity
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security
© 2015 IBM Corporation
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity.
IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Legal notices and disclaimers