In the mysterious world of the dark web, medical records are available for sale every day in spite of the fact that they only fetch a fraction of what a full financial record is worth. Still, they are available, and they do sell, so for many people, the answer is yes, your medical data is available to cyber criminals. While this is alarming at a personal level, the real issue is what are businesses in the healthcare industry doing to stop the theft of medical data?
Theft of medical records is nothing new. IBM declared “this is the year of the healthcare breach” in the Cyber Security Intelligence Index report. Symantec reported in the Internet Security Report that 39% of all reported data breaches in 2015 were from the healthcare industry. Further, Identity Theft Resource Center found that two thirds of the total number of compromised records from reported data breaches were from healthcare, leaving just one third for all other industry segments combined including Government, Financial, Manufacturing and Retail. And all indications are that healthcare will continue to be a hot target for cyber criminals.
It is possible that the lower relative price of medical records is more a reflection of supply vs. demand than it is a reflection of the value of an individual record. It is also believed that medical records contain greater value for longer term criminal efforts as compared with the quick financial gain one might get with stolen credit card or bank account records. McAfee found medical records to sell in a range of a fraction of a cent up to $2.50, while financial records including a credit or debit card sell for $14 to $25 each.
So what? Even if your data is only worth pennies per record, cyber criminals are eager to add your records to their virtual warehouse. And for you, it is not a matter of how much your data will bring on the dark web market, rather you should be concerned about the impact a data breach would have on your brand reputation and what that could do to your place in the legitimate marketplace. Noteworthy is the fact that according to Nuix, a global technology company, 97% of security executives surveyed agreed that human behavior was their greatest vulnerability. This was a key finding in their recently released “Defending Data” report, based on survey responses from Information Security practitioners. The sad truth is that even with huge investments in cyber security defenses, people remain a weak link. Consider that the cyber security industry knows – and by extension, criminal actors know – that people continue to execute risky behaviors like opening malicious email attachments, allowing remote access or installing unverified apps and programs containing malicious code. All of these attack vectors are utilized on a daily basis in an attempt to gain access to systems for the purpose of initiating a breach.
It stands to reason then that a key to battling cyber criminals is to equip your employees with skills and awareness to become an effective front line of defense. Your goal needs to move from an annual awareness review to a program with quantifiable training which results in long-term measurable changes in employee behaviors. Modern training techniques can deliver new skills and engrain a cyber secure awareness. You as a business owner need to create a culture that supports this change in behavior, and help your employees understand how they must behave as an ever vigilant part of the solution.