Monthly Archives: March 2018

The state of cybersecurity in healthcare organizations in 2018

Larry Ponemon

A strong cybersecurity posture in healthcare is critical to patient safety. Attacks on patient information, medical devices and a hospital’s systems and operations can have a variety of serious consequences. These can include disrupting the delivery of services, putting patients at risk for medical identity theft and possibly endangering the lives of individuals who have a medical device.

To determine the prognosis for healthcare organizations’ ability to reduce cyber attacks, Ponemon Institute conducted The State of Cybersecurity in Healthcare Organizations in 2018,, sponsored by Merlin. We surveyed 627 IT and IT security practitioners in a variety of healthcare organizations that are subject to HIPAA. According to the research, spending on IT increased from an average of $23 million in 2016 to $30 million annually and the average number of cyber attacks each year increased from 11 to 16. On average, organizations spend almost $4 million to remediate an attack.

Healthcare organizations are not immune to the same threats facing other industries. The threats that are the source of most concern are employee errors and cyber attacks. However, third-party misuse of patient data, process and system failures and insecure mobile apps also create significant risk.

The following factors are affecting healthcare organizations ability to secure sensitive data and systems

  • The existence of legacy systems and disruptive technologies, such as cloud, mobile, big data and Internet of Things, put patient information at risk.
  • More attacks evade intrusion prevention systems (IPS) and advanced persistent threats (APTs).
  • Disruptions to operations and system downtime caused by denial of service (DDoS) attacks are increasing.
  • Healthcare organizations are targeted because of the value of patient medical and billing records.
  • Not enough in-house expertise and security leadership makes it more difficult to reduce risks, vulnerabilities and attacks.

Best practices from high- performing healthcare organizations

As part of the research, we did a special analysis of those respondents (59 respondents out of the total sample of 627 respondents) who rated their organizations’ effectiveness in mitigating risks, vulnerabilities and attacks against their organizations as very high (9+ on a scale of 1 = low effectiveness to 10 = high effectiveness. These respondents are referred to as high performer and the analysis is presented in this report.

According to the research, these high-performing organizations are able to significantly reduce cyber attacks. Following are characteristics of high-performing organizations:

  • More likely to have an incident response plan and a strategy for the security of medical devices.
  • Technologies and in-house expertise improve their ability to prevent the loss or exposure of patient data, DDoS attacks and other attacks that evade their IPS and AV solutions.
  • High-performing organizations are better at increasing employee awareness about cybersecurity risks.
  • High-performing organizations also are more positive about the ability to ensure third-party contracts safeguard the security of patient information.
  • High-performing organizations are more likely to have the necessary in-house expertise, including a CISO or equivalent.

Part 2. Key findings

In this section, we provide a deeper analysis of the research. When possible, we compare the findings in this year’s research to the 2016 study.

Trends in risks facing healthcare organizations: Why more cyber attacks are occurring

Patient information is under attack and at risk. Annually, on average healthcare organizations experience 16 cyber attacks, an increase from 11 attacks in the 2016 study. As shown in Figure 2, more than half (51 percent of respondents) say their organizations have experienced an incident involving the loss or exposure of patient information in the past 12 months, an increase from 48 percent in 2016.

Healthcare organizations are experiencing ransomware attacks. For the first time, ransomware attacks were included and 37 percent of respondents say their organizations experienced such an attack. While some security incidents decreased, healthcare organizations continue to be at great risk from a variety of threats.

More attacks evade intrusion prevention systems (IPS) and advanced persistent threats (APTs). Our survey shows 56 percent of respondents say their organizations have experienced situations where cyber attacks evaded their intrusion prevention, an increase from 49 percent of respondents in 2016. Forty-four percent of respondents say their organizations have experienced cyber attacks that evaded their anti-virus (AV) solutions and/or traditional security controls.

More organizations have systems and controls in place to detect and stop advanced persistent threats (APTs). Thirty-three percent of respondents say their organizations have systems and controls in place to detect and stop APTs, an increase from 26 percent of respondents in 2016.

Denial of service (DDoS) attacks increase. Some 45 percent of respondents report their organization had a DDoS attack, an increase from 37 percent of respondents in the 2016 research. On average, organizations experienced 2.94 DDoS attacks in the past 12 months, an increase from 2.65 in 2016.

Hackers are most interested in stealing patient information. The most lucrative information for hackers can be found in patients’ medical records and billing information according to 77 percent and 56 percent of respondents, respectively.

What types of information do you believe hackers are most interested in stealing?

Read sections 2 and 3 of this report at Merlin’s website. 



Retirement account ID theft soars, report says

Click to read this story at

Bob Sullivan

Criminals armed with a flood of data stolen in recent data breaches are newly targeting consumers where it might hurt most: their retirement accounts.   The lucrative crime of brokerage account takeovers isn’t new, but it appears identity thieves are having more luck recently raiding victims’ retirements, tricking brokers into emptying accounts and mailing checks that can exceed $100,000.

It’s critical for consumers to realize that retirement accounts have few of the protections afforded to credit and debit card holders; getting “refunds” after an incident like this involves much more than a few phone calls.

Andrea and Steve Voss of Georgia were lucky; they check their account frequently and noticed something had gone wrong — their account balance was $0, and $42,000 was missing.  A criminal had ordered it liquidated, and a $42,000 check sent to their home — then redirected that check to a local UPS store, according to the Atlanta Journal Constitution. 

The Voss’ alerted authorities and police intercepted the delivery, nabbing two suspects.  They were arrested with an $85,000 check from another victim.

At about the same time, an anonymous writer at investment site complained that $52,000 had been taken from his elderly father’s IRA account.

These don’t appear to be isolated incidents.  Tucked in the annual Javelin Strategy & Research survey of ID theft crimes was this grim fact: criminals freshly armed with complete dossiers on potential victims are expanding their arsenal of fraud attacks far beyond traditional credit card account hijackings. So-called existing non-card fraud is up sharply, as criminals hijack everything from hotel reward point accounts to mobile phones to crypto-currency wallets. But the crime that might be most devastating – where many victims probably keep their biggest pile of money — is brokerage account takeovers. Javelin says that in 2016, such crimes accounted for only 2% of existing non card fraud.  In 2017, that swelled to 7% — more the tripling in one year.

Retirement account hijackers have a few things going for them.  Consumers might not check them as often, particularly when there’s bad news. And of course, their balances are usually larger than savings or checking accounts.

One might imagine moving money out of a retirement account would be challenging, but not always.  According to the Atlanta Journal Constitution, “surprisingly little” information was required — Voss’ name, address, date of birth and Social Security number.

(I’ve reached out to the firm involved, Prudential, to see if there’s any update to that process or if it has a comment. I will update this story if it responds.)

The Bogleheads victim offers a similar tale:

The custodian of my father’s IRA states that in early September they received a phone call from a man posing as my father, who passed all the security questions and requested a change in email address and that forms for withdrawal of funds be sent to that email. Around two weeks later the custodian received all the paperwork authorizing the withdrawal of funds from the account, and the electronic transfer of said funds into a bank account under my father’s name at a bank he had never heard of and certainly did not use for banking (Regions Bank). The custodian states that the paperwork had my father’s (alleged) signature notarized, and also included a copy of a check from the bank account into which the funds were to be deposited. At that point, the custodian effected the requested transfer of $52,000. 

That tale also has a happy ending, with the victim reporting the money was returned to the account — but only after about six weeks of back-and-forth discussion, the writer says. (I’ve reached out to the firm involved and will update if it responds.)

Retirement account hacking isn’t new.  Way back in 2007, I wrote about a consumer who lost $179,000 in such a scam.  What I learned then is what you need to learn now: The broker has no clear legal obligation to return the stolen funds. Recall that if your checking account is raided, banks have to restore the funds within days while they investigate. No such protection exists for brokerage accounts. Victims might be able to talk their way into a refund, or sue their way into one, but there’s no shortcut process for that.

That’s why it’s critical to know that ID thieves, armed with their massive databases of consumer data, are targeting these kinds of accounts.  Check them, often. Make it part of your normal routine, when you check all your other accounts for fraud. Otherwise, you might end up missing every dollar you’ve worked your whole life to set aside.