This is the time of year for lists. In this case, the healthcare industry is probably not happy about coming in #1. IBM has named 2015 as The Year Of The Healthcare Breach, with 34 percent of all records breached being healthcare related.
In just the first half of the year, over 100 million healthcare related records were compromised.
The cyber security universe has focused a lot of its energy on fixing credit card related fraud. While this is good, it is only solving a very small part of the problem.
An indication of this is that the price of credit card data on the dark web is down dramatically. Part of this is due to the fact that the credit card industry has improved its ability to detect fraudulent use, but part of it, also, is due to the fact that there are so many fraudulent credit cards out there that there are not enough crooks to use them.
So what is an enterprising information thief to do?
Healthcare records can sell for 50 TIMES what a credit card record sells for on the black market. Partly this is due to the fact that the insurance industry, both private and government, have not done a great job at cracking down on fraudulent use of healthcare information, but part of it is due to the fact that you cannot change your healthcare information if it gets compromised like you can change your credit card number. As a result, the useful life of fraudulently used healthcare information is measured in years unlike credit cards, which is measured in days and weeks.
So now we know that healthcare breaches are bigger than credit card breaches, but what is bigger than healthcare breaches?
In my opinion, it is the theft of intellectual property. This includes employees who leave a company and take customer files, proposals, and other IP as well as people who steal it for financial benefit.
Only occasionally do we get a glimpse of the size of this business and that is usually accidentally. For example, last month when the attackers who stole customer information from J.P. Morgan Chase were indicted, we got a peek. Remember, there was no bank account or credit card data in that theft. Still, according to the U.S. Attorney, the attackers made hundreds of millions of dollars. They did this by trading on inside information – theft of intellectual property.
And, for the most part, there is no law that requires that the theft of intellectual property be disclosed. Assuming that the company even knows that it has been stolen. After all, there is no credit card company or insurance company looking for the use of stolen intellectual property. And the company still has its data.
Personally, I think that theft of intellectual property dwarfs all other forms of data theft. And we are not spending a lot of effort stopping it. China and other countries are masters of it. By stealing, for example, the plans for the F-35 Joint Strike Fighter, China saved tens of billions of dollars. First, they don’t need to spend the R&D dollars to develop, for example, new engines – they just copy what we did and second, they don’t need to buy those engines from us – costing us billions in business. And, they take our technology and sell engines built with it to other countries, reducing the market for our engines – costing us even more money.
This is just a very obvious and large scale example, but on a much smaller scale, if a competitor learns your business methods, they don’t have to develop it themselves and will compete with you using your own processes and technology. Or try and steal your customers away from you. You get the idea.
So while healthcare is #1, there is a hidden #1 that we are not even talking about.
Information for this post came from HITECHanswers and BreakingDefense.