We wrote about LinkedIn having 6 million passwords stolen. eHarmony has also been a victim of 1.5 million passwords being stolen. The clear message here is that if these large websites can be victims of cyber-criminals, much smaller organizations stand little chance in defending its information.
Both LinkedIn and eHarmony are well funded companies that have resources to ensure that proper defenses are in place to protect important electronic assets (namely user account information). Yet with these resources they were still victims of cyber-criminals that stole user account information and posted it on public websites.
Much smaller organizations should be very nervous regarding cyber-criminals. Smaller organizations which include most medical practices have very little in the way of layered IT security. Firewalls, if in place, are usually not locked down or configured properly to defend against attack, intrusion detection systems usually are not in place and audit review of user access generally does not occur. Without these defenses, smaller organizations stand little chance if they are a target of cyber-criminals.
The 2012 Verizon Data Breach Investigations Report give more insight into why smaller organizations are targets of cyber-criminals
Once again, organizations of all sizes are included among the 855 incidents in our dataset. Smaller organizations represent the majority of these victims, as they did in the last DbIR. Like some of the industry patterns, this relates to the breed of “industrialized” attacks mentioned above; they can be carried out against large numbers in a surprisingly short timeframe with little to no resistance (from the victim, that is; law enforcement is watching and resisting. See the ”Discovery Methods” section as well as appendix b.) Smaller businesses are the ideal target for such raids, and money-driven, risk-averse cybercriminals understand this very well. Thus, the number of victims in this category continues to swell
Smaller organizations should ask themselves an important question: what would happen to our business if our valuable information about customers / patients were stolen and posted on a public website? Imagine if all your customer’s social security numbers or credit card information was posted on a public website. Or imagine if all your patient data in your EMR was posted on a public website. The press would be all over this story and there is a very good chance that a majority of your customers or patients would leave your business or practice. Could your business survive this incident?
So what should smaller organizations including medical practices do?
- Recognize the weakness in their IT security
- Perform a risk assessment to determine which systems contain the most sensitive information and which should have the highest levels of protection
- Discuss IT security with their IT department, IT company or IT support person and put a plan together to implement additional layers of security
- Look into Cyber / HIPAA insurance to provide financial assistance in the event they experience a security breach