Cybercriminals are primarily after patient data as it really gets them more money.
Cybercriminals are primarily after patient data as it really gets them more money.

Cybercriminals are constantly looking to make a quick buck. But while many industry observers may assume – based on recent headlines – that credit cards are what these miscreants are primarily after, it is, in fact, patient data that really gets them more money. 

Credit cards reportedly fetch an average of $1 on the black market. However, a single patient's data can go for as much as $50. When you take these numbers into account, it's easy to correlate the number of attacks on the health care sector. 

The Ponemon Institute's “Fourth Annual Benchmark Study on Patient Privacy and Data Security,” indicates that of the 91 health care organizations polled, 38 percent had more than five breaches in a two-year period. Additionally, a recent analysis by the Washington Post on data provided by the U.S. Department of Health and Human Services, indicates that 944 cybersecurity incidents have been reported to government agencies since federal reporting on events affecting more than 500 individuals began being enforced in 2009, impacting more than 30 million individuals. 

Seeing as this sector handles some of the most sensitive PII, shouldn't those in charge of protecting that data be fully equipped to do so? 

Larry Whiteside, CISO at the Lower Colorado River Authority and former CISO at Spectrum Health, said that it's not a matter of health care “not trying” but a combination of budget and personnel issues. 

“Margins being low does not allow the industry to compete with others such as financial services, retail…and others,” Whiteside said. “This does not bode well for them nor lead them to getting top tier talent.” 

Although some organizations may have a dedicated CISO, Whiteside added that the sector is known for placing those in charge of information security at a level within the organization that limits their effectiveness. 

Scott Erven, founder of SecMedic, a tech firm that specializes in medical device security, agreed. “There are very few senior security roles in health care that have direct reporting relationships to executive management,” Erven said. “In most medium and small health care practices, the designation of security officer is often appointed to an employee who is willing to wear multiple hats.”

The consensus: Shifting the C-suite structure and allocating more dollars toward hiring top-tier talent may be the changes needed for health care to take that much needed step forward.