Forget credit card numbers. The hot new data for the modern bad guy is the electronic health record, which is not only worth more on the black market, but is easier to get.
According to a 2014 BitSight report, the health care industry has been lagging behind when it comes to security effectiveness, "with a worse average rating than the retail industry, including a high volume of security incidents and slow response times," according to Stephen Boyer, CTO and co-founder at Cambridge, Mass.-based BitSight Technologies.
"Health care companies have often been more willing to accept those risks because of a mistaken belief that 'the hackers are after credit card numbers, not electronic health records,'" said John Pescatore, director of emerging trends at Bethesda, MD-based SANS Institute.
Meanwhile, Gemalto's 2014 Breach Level Index showed that the healthcare industry suffered more breaches last year than any other industry, accounting for 25 percent of all breaches globally.
"Cyber criminals are now going after health care records because they hold up to ten times more value on the black market over simple credit card numbers," said Carl Wright, general manager at San Mateo, Calif.-based TrapX.
Electronic health record information can be used for billing scams that go as high as the value of the health insurance policy, to purchase prescription drugs for resale on the black market, and also for run-of-the-mill identity theft.
In addition, recent changes in the health industry mean that many formerly offline, disparate health data sources are now being brought together, said Ivan Shefrin, vice president of security solutions at Cupertino, Calif.-based TaaSera, Inc.
"And attackers are carefully studying and exploiting weak spots in new, vast connectivity," he added.
The healthcare providers and insurance companies are often unprepared for the level of cyberattacks they're facing, he said.
Experts urge firms to reduce attack surface, add authentication, and share info
Encrypting data isn't a 100 percent solution to the issue of data breaches. After all, at some point, people have to be able to look at the information in order to work with it.
But there's a lot companies can do with encryption and tokenization to reduce the amount of time that data spends in unencrypted form, said Gerry Grealish, CMO at McLean, Vir.-based Perspecsys.
This makes the criminals' job a lot harder, and allows security managers to concentrate their efforts on protecting those few vulnerable points.
"In essence, they are trying to find the needle in the haystack," said Grealish. "And if they were ever to locate it, they would find the needle itself is locked down and is under 24-7 monitoring."
Many of the recent breaches involve compromised credentials and abuse of privileges. The attackers get access to a user account, then leverage that access to get them into other accounts, until they find one that gets them to the data that they want.
Sign up for CIO Asia eNewsletters.