Data breaches of small businesses, including doctor offices, on the rise
■ A report says cyber criminals are seeking what they consider easy targets.
Small organizations, including physician practices, represented the largest number of data breaches in 2011, according to Verizon’s annual Data Breach Investigations Report.
The report examined 855 breaches across the globe that accounted for 174 million compromised records in 2011. The analysis found that cyber criminals are responsible for a large number of breaches globally, and small organizations are considered easy targets.
One of the reasons breaches at small health care organizations are on the rise is that automated attacks searching for remote Internet access services combined with weak passwords “were successful against smaller health care businesses, such as physicians’ offices and clinics,” said Marc Spitler, senior risk analyst of RISK Intelligence for Verizon.
The report said 97% of the crimes could have been avoided through simple or intermediate security controls.
For the report, Verizon partnered with the U.S. Secret Service; the Dutch National High Tech Crime Unit; the Australian Federal Police; the Irish Reporting & Information Security Service and the Police Central eCrime Unit; and the London Metropolitan Police. Small organizations represented the largest number of victim organizations, with 612 of the 855 incidents occurring at an organization with one to 100 employees.
When broken down by industry, health care and social assistance organizations represented 7% of the breaches. “Smaller organizations are the ideal target ... and money-driven, risk-averse cyber criminals understand this very well,” the report said.
The report found that 65% of the breaches had a low level of difficulty for the initial compromise of data.
“We’ve come to the realization that many of the organizations covered in this report are probably not getting the message about their security,” the report’s authors wrote. “We’re talking about the smaller organizations that have one [or a handful of point-of-service] systems.”
The report was not specific to health care, nor did it include all types of breaches. For example, incidents involving lost devices or insecure record disposal were unlikely to have been investigated by the agencies that contributed data to the report, Spitler said. Most of the incidents in the report were organizations that were targeted not because of the health data but rather because of the debit/credit card transactions that occurred at a health care organization.
Larry Clinton, president and CEO of Internet Security Alliance, said cyber criminals are just one threat to health care data. Lost devices and inside jobs also are responsible for a growing number of data breaches.
The Internet Security Alliance, a multisector trade association for organizations concerned about information security, published a report in March with the American National Standards Institute and the Shared Assessments Program that underscored the threat to small practices. It found that health data breaches have grown rapidly with the adoption of electronic health record systems.
Between 2005 and 2008, 39.5 million patient records were breached in the United States, according to the research. In the past two years, 18 million Americans have been impacted by a breach. Medical information is considered not only easier to access, given the lack of data security at many organizations, but also valuable.
Clinton said a thief could make $50 for a medical identification number compared with $1 for a Social Security number.
The Verizon report recommends that small organizations change default credentials on point-of-service systems and other Internet-facing devices.
The first step is realizing how valuable the data are on the black market, Clinton said, and then recognizing that this is not just an IT problem. An organizationwide risk management approach is needed. His firm offers free publications that help small organizations set up cyber-security programs.
“Attackers are businessmen themselves,” Clinton said. “They look for the greatest return on investment, and that would be to attack medical professionals that have little to no security defenses, often which is the smaller businesses.”