Security software company Symantec is being drenched in calls from breached health organisations that have lost devices or suffered an information security snafu.
Some 80 per cent of the calls its incident response team has received since December are from healthcare firms, topping the charts for the number of breach incidents for 2014 for the fourth year running, according to Symantec's annual threat report (PDF).
More ReadingSecurity bods jab pins at encrypted database system balloonsJeb Bush: Repeal Obamacare and replace it with APPLE WATCHESIBM’s 700TB security threat database enters the cloud. Look to the heavens, hackersDigital pathology and the big Cs (that’s ‘cancer’ and ‘cloud’)Premera healthcare: US govt security audit gave hacked biz thumbs up
Most of these 116 incidents — which are up 25 per cent since 2013 — are due to lost or stolen devices and human database bungling.
Healthcare organisations have about four times as many incidents as education, government, and finance sectors, which averaged around 30 each.
Most exposures result in the disclosure of customers' real names, government identity numbers, and home addresses.
Symantec national healthcare solutions architect Axel Wirth claims healthcare providers usually lose data to device thieves or bumbling staff, but are also exposed because they run often unpatched legacy systems.
"Another situation that many healthcare providers struggle with are poorly patched devices, often running end-of-life operating systems," Wirth said.
"These highly vulnerable devices are a problem not because they're targeted, but because of their susceptibility to common malware," he added. "A number of hospitals have mature cyber-security programs in place, but many are still struggling with basic goals, such as implementing encryption to protect data on lost or stolen mobile devices, laptops, or data carriers."
Some 44 per cent of healthcare breaches are due to lost or stolen devices, up 10 per cent on 2013. Identity exposure through human error is behind 11 per cent of sector breaches.
Insider theft, however, is on the rise, and has doubled from a low base since 2013. Patient records are often sought by staff wishing to set up their own practices and recruit clients, along with run-of-the-mill data thieves.
Low-base increases include an uptick in hacker ransoms where thieves pinch patient records and demand cash to have the data returned, Wirth says.
Other report findings for 2014 include advanced attackers:
- Deploying legitimate software onto compromised computers to continue their attacks without risking discovery by anti-malware tools.
- Leveraging a company’s management tools to move stolen IP around the corporate network.
- Using commonly available crimeware tools to disguise themselves and their true intention if discovered.
- Building custom attack software inside their victim’s network, on the victim’s own servers.
- Using stolen email accounts from one corporate victim to spear-phish their next corporate victim.
- Hiding inside software vendors’ updates, in essence “Trojanizing” updates, to trick targeted companies into infecting themselves
The healthcare bod notes that flogged records are worth between $10 to $50 a pop, compared with credit cards that fetch around $0.50 to $1 each. ®