Intel Security CTO Steve Grobman has pointed out that gaining the upper hand in cybersecurity requires that we extend our thinking beyond the physical economy of money, assets, goods, and services to a Second Economy defined by the currencies of trust, time, and money.
As in other industries, health care is working toward maximizing efficiencies, containing expenses, capturing revenues, and delivering enhanced services through networked devices. Unfortunately, the new opportunities also involve challenges born of a reliance on fragmented cybersecurity strategies built around siloed architectures, and a failure to recognize the value of the extensive data stores the health care sector manages. Losing intellectual property and business confidential information could destroy whole pharmaceutical or biotech companies. Losing personal, sensitive patient data could squander the precious currency of trust in digital medicine, in care providers, and their application of technology.
A McAfee Labs report released today details some of the consequences of health care industry players failing to appreciate the value of data, the attractiveness of that data to cybercriminals, and the ecosystem growing around the theft of such data. The report, “Health Warning: Cyber Threats Targeting and Compromising the Health Industry,” features three areas of focus.
The value of protected health information
In recent years, Intel Security has observed the cybercriminal community extend its data theft efforts beyond financial account data to medical records.
Although credit and debit card numbers can be canceled and replaced quickly, this is not the case for protected health information (PHI) that does not change. This “nonperishable” PHI could include family names, mothers’ maiden names, social security or pension numbers, payment card and insurance data, and patient address histories. McAfee Labs found stolen medical records available for from $0.03 to $2.42 per record.
Cybercriminals analyze the data, and perhaps cross-reference it with data stolen from other sources to identify lucrative fraud, theft, extortion, character assassination, or blackmail opportunities across the population of patients.
Targeting intellectual property
Our research and analysis on the targeting of biotechnology and pharmaceutical firms suggest that the economic value of their intellectual property and business confidential information is considerably higher than the cents- and dollars-per-record data Intel Security’s researchers identified within patients health care accounts.
When you consider that research and development is a tremendous expense for these industries, it should be no surprise that cybercriminals are attracted to this category of data theft.
Intel Security researchers found evidence that formulas for next-generation drugs, drug trial results, and other business confidential information constitutes significant value. The stores of such data at pharmaceutical companies, their partners, and even government regulators involved in bringing new drugs to market have become premium targets of cybercriminals.
Ecosystem of health care data theft
Intel Security also identified cybercriminals leveraging the cybercrime-as-a-service market to execute their attacks on health care organizations. Researchers found evidence of the purchase and rental of exploits and exploit kits to enable the system compromises behind health care data breaches. The researchers even observed efforts by cybercriminals, through online ads and social media, to recruit into their ranks health care industry insiders with access to valuable information.
The Second Economy challenge
The growth and evolution of the market for stolen health care data and the hacking skills required to steal it suggest that the business of cybercrime in this vertical industry is good and growing. Given the increasing threat to the industry, breach costs ought to be evaluated in new Second Economy terms—in which lost trust can inflict as much damage upon individuals and organizations as lost funds.
In health care, gaining the upper hand in cybersecurity means rejecting conventional defense paradigms in favor of radical new thinking. Where health care organizations have relied on old playbooks, they must be newly unpredictable. Where they have hoarded information on attacks, exploits, and threats, the industry must become more collaborative. Where they have undervalued cyber defense overall, they must prioritize it.
In the Second Economy, trust is the prime casualty of cybercrime. In an industry in which the personal is paramount, the loss of trust could be catastrophic to its progress and prospects for success.