There's no business out there that has zero chance of being targeted by cyber criminals. There are only companies that are prepared for such an incident, and those that aren't. Unfortunately, many organizations selectively absorb cyber security news, leading them to take a rather indifference stance toward the need for strong business network protection. For instance, an IT leader at a small business may well look at the main breach headlines of the day – which are more likely than not to involve large businesses – and assume, on this basis, that small businesses fall outside the purview of hackers. This is a false and potentially destructive assumption, and it's the kind of misconception about the cyber sphere that is leading more companies into situations they are not prepared to face.
For companies within every industry, mounting the proper preparations needs to be a central priority not just for leaders in the business IT department, but for enterprise leaders in the executive suite. And this enteprise-wide proactive approach to cybersecurity needs to be in place at literally every business out there today. That's because hackers are sitting outside every kind of industry, and they're looking to targets of all sizes. This is something we pointed out in the first part of this article, which looked at hacking incidents so far this year that have hit two industries: banking and business. In the banking arena, for instance, there's no denying that attacks on big business happened. A breach at Scottrade, for instance, resulted in private data that included Social Security information being compromised for 4.6 million patrons. But hackers are just as keen on attacking smaller operations, as evidenced by a breach of the Virginia Credit Union that resulted in around 2,000 cardholders having their information hacked.
In terms of cyber crime targets, most people probably aren't surprised to hear that financial and enterprise organizations fall into the crosshairs of hackers. What they'll undoubtedly be surprised to learn, however, is that the vast majority of breached records this year has not, in fact, come from those two industrial arenas. Instead, healthcare is the sector that's suffered 68.3 percent of total breached records across industries this year as of October 20, according to Identity Theft Resource Center data. It's this kind of eye-opening statistic that illuminates a central fact of cyber crime these days: It truly is everywhere. In this second and final part of the article, we'll look at some significant hacking incidents that have taken place this year in the three other sectors the ITRC charts: Education, Government/Military and Medical/Healthcare. As with the first part of the article, the information in this piece is based on ITRC data.
Educational institutions are no haven from cyber crime, as evidenced by the 49 recorded education breaches in the ITRC report. When you consider the kind of information that educational networks – particularly post-secondary institutions – have on record (information for students, staff, and alums as well as academic records) it becomes easier to see why they make such a prime target. Educational organizations are, as security expert Chad A. Holmes explained, "really a playground for hackers." As of October 20, there have been 754,100 education records breached this year. Here are some of the more notable incidents:
- Harvard University: It'd be nice to think that if you attend or work for one of the most elite colleges in the country, your data is entirely safe, but as the range of incidents out there continue to show, there's no such thing as an unbreachable organization. Back in July, news came out that the faculty and administrative networks of Harvard had become subject to a malicious intrusion, according to The Hill. Fortunately, as Provost Alan Garber pointed out in a release about the incident, the intrusion reportedly did not result in the compromising of person-related data, as The Boston Herald reported. While this was positive news for Harvard people who might otherwise have worried about their private data being made vulnerable, the mere fact that the hack took place likely still led people connected to the university to experience an understandable sense of anxiety related to the incident.
- Pennsylvania State University: Sometimes, one single infected computer is all it takes for an entire enterprise network to fall victim to a cyber criminal incident. This was a harsh lesson that PSU learned the hard way when this precise thing happened to a computer on the school's campus. Unfortunately for university administrators, the particular computer that had been targeted contained highly privileged data – including Social Security numbers – for 554 individuals. But this attack – which was discovered on June 9 – was not the only cyber attack to befall the school this year. As Inside Higher Ed pointed out, Penn State had fallen victim to several other attacks. The problem for institutions like PSU, as University of Maryland University College chair of the master of science in cybersecurity technology program Emma Garrison-Alexander pointed out to Inside Higher Ed, is that "An adversary only needs to find and exploit one vulnerability – that's all they need to do. The challenge is enormous for a university or any entity when it comes to cybersecurity, and sometimes that gets lost in the hype of what's happening in an organization."
Government and military enterprises have certainly not been spared the burden of having to deal with major hacks this year. All told, there have been nearly 34 million government records breached so far in 2015, which comprises 19.3 percent of total compromised records. Unfortunately for government and military entities, these numbers are only set to rise, since cyber criminals see particular value in government targets, which can often offer even more privileged data than that which could be collected from an attack on a different sector. Here are some of the significant government and military hacks to take place this year:
- Salt Lake County: When you're setting up your network security settings, you'll want to ensure that everything is done properly. And if you're bringing in an outside software services company to complete the task, you'll definitely want to make sure that they carry out the installation correctly – particularly if the information that's being protected is highly privileged data like Workers' Compensation records. Unfortunately for Salt Lake County, the software services company they hired to carry out software upgrades wasn't as careful as they should have been. On June 18, as a subsequent legal briefing pointed out, the services business that was implementing the upgrade made a set-up error. This led to the privileged information contained in the network – which included damage claims – to possibly have been made viewable to the public for a period of time. Considering that this data occasionally included highly confidential things like Social Security numbers and even medical information, this didn't look good for Salt Lake County. While the county is in the process of recovering from the incident and offering credit monitoring to those who were possibly impacted, this is still the kind of incident whose negative impact could linger for a while.
- City of Philadelphia – Fire Department EMS Unit: It's not infrequently that we hear of breach incidents being disclosed a long time after the fact, but still, it's always bound to be a surprise for any victims. Such was the case in April 2015, when the Philadelphia Fire Department put out a report of a data breach that had occurred three years earlier. The incident stemmed from the fact that the fire department entrusted a third-party company – Intermedix – with the regulation of its data. Unfortunately, there was an employee of Intermedix who had criminal motives. Because this employee had access to the records of the fire department, he was able to make off with financial data belonging to patients. All told, 750 patients were impacted in the incident. While the victims of the incident were offered credit monitoring services, that certainly doesn't compensate for the fact that the breach happened in the first place.
Medical and healthcare-based breaches currently result in the greatest number of breached records. According to the ITRC's data, incidents from this sector resulted in 119,908,807 compromised records – or 68.3 percent of overall breached records to date. This can be largely explained by the value of information contained within these networks. Within the cyber criminal realm, personal health records represent some of the most sought-after data out there due to health records often being able to provide identity-based data – such as Social Security numbers – that are permanently tied to an individual, and therefore cannot be canceled in the way, say, a debit card can be, as Electronic Health Reporter stated.
These days, healthcare-based breaches are so widespread – and costly – that they're demanding a better response among medical and healthcare organizations. According to Bloomberg Business, attacks on the healthcare sector are leading to $6 billion in losses a year, with the typical breach on a hospital costing that institution more than $2 million. As Tom Kellermann, chief cybersecurity officer at Trend Micro, explained, mounting attacks on the healthcare arena reflect a cyber criminal trend.
"The healthcare industry is being hunted and hacked by the elite financial criminal syndicates that had been targeting large financial institutions until they realized health-care databases are more valuable," Kellermann said.
And while medical organizations are getting the memo about the ever-mounting threat atmosphere – and are attempting to do a better job of securing their networks – these efforts are being matched and often outdone by cyber criminals who are leveraging sophisticated hacking strategies and the international cyber crime network to carry out attacks of great sophistication. According to one industry survey, a staggering 81 percent of all healthcare organizations have suffered a breach over the past two years.
"The vulnerability of patient data at the nation's health plans and approximately 5,000 hospitals is on the rise and healthcare executives are struggling to safeguard patient records," industry expert Michael Ebert stated. "Patient records are far more valuable than credit card information for people who plan to commit fraud, since the personal information cannot be easily changed. A key goal for execs is to advance their institutions' protection to create hurdles for hackers."
Expert Greg Bell added that another key proactive step hospitals and other healthcare organizations can take is to implement better detection features, since hackers who evade detection are able to do far more damage than those whose actions are expediently detected and countered with robust security measures.
"Healthcare organizations that can effectively track the number of attempts have less cause for worry than those who may not detect all of the threats against their systems," Bell said. "The experienced hackers that penetrate a vulnerable healthcare organization like to remain undetected as long as they can before extracting a great deal of content, similar to a blood-sucking insect."
Here are just a few of the healthcare-based cyber attacks to make headlines this year:
- Johns Hopkins: When you're a medical professional with privileged patient data on your laptop, you're going to want to make sure that laptop is encrypted in the event that it's stolen. But a physician at Johns Hopkins did not suitably protect his laptop, so that when it was stolen, that theft resulted in the potential compromising of data for the 571 cancer patients and the 267 study individuals whose information was stored on the physicians' device. This incident should spark an important conversation among hospitals – and all organizations, for that matter – about the importance of securing mobility in the workplace. If, as was the case here, an employee has a laptop that contains privileged institutional data, that laptop needs to be held to an extremely high security standard given that it will be transported.
- Blue Cross Blue Shield of New Jersey: When you're a cyber criminal and you have your hands on some patient information, there are a multitude of things you can do with that data. The opportunities there lead criminals to become inventive when it comes to making off with patient data. Such was the case in New Jersey, where, according to HIPAA Journal, "criminals posed as doctors in order to gain access to the Protected Health Information of patients." Their effort was successful and they were able to breach information for around 1,100 patients. The end game of the criminals was to file false insurance claims. This is something that can have long-lasting negative repercussions for victims, and can lead to significant hassles down the line like having a valid insurance claim denied.
Preparing across industries
Does your business have the measures in place that it needs to confront the cyber threat atmosphere of today? That's a vital question for all organizations to ask, and it's one where the answer will be very significant for business operations as a whole. If you're a small business dependent on significant customer loyalty and you experience a cyber attack that exposes patron data, don't be surprised to see that loyalty disappear. And if you're a large organization with an expansive shopper base that's breached, you can expect to be the next big hack headline. These are scenarios that can be prevented, however, through the deployment of leading enterprise security solutions.