The world is facing a growing prevalence of increasingly sophisticated, targeted, and malicious cyberattacks. This new reality forces us to continually evolve our understanding of our cyberenvironment and to re-evaluate and update our security posture in ways that minimize the growing cyberrisks to ourselves, our infrastructure, and our businesses. In doing so, we must recognize that any comprehensive cybersecurity strategy includes more than just technical elements. It must also include aspects of leadership, societal, and corporate culture and encompass larger economic and even sociopolitical elements (e.g., national security).
The annual global spend on cybersecurity is approaching $100 billion while global losses to businesses due to cyberincidents are nearing $1 trillion.1 We are clearly underspending on security, but do we need to spend $1 trillion to avoid the loss of $1 trillion? The truth probably lies somewhere in between, and the right approach may not be to just spend more, but also to spend smarter.
This opens up the larger question on “cybersecurity economics,” which in turn breaks down into three main themes and their associated questions:
The underground economy. What does today's underground marketplace look like, and how do financially motivated cybercriminals actually make money? How does the hacker economy work and what are the goods, tools, and services being traded? Who are the actors and what are their motivations and interests? Who do they include besides nation-states, cyberactivists, hackers-for-hire, and individuals of varying motivation and interests?
Cybersecurity impact. How do cybercompromises affect our businesses and society? How much are we investing in cybersecurity, and relative to that, what are the resulting losses (or risks of loss) to businesses, communities, and individuals? How do we quantify and estimate the actual and potential financial consequences of a cyberincident?
Leadership and business decision making. How does an executive leader make sure they are investing enough in cybersecurity? How do they know how much risk reduction or transfer is appropriate to protect their business from losses due to a cyberincident? What is the right level of budgeting, technology, staffing, and insurance? And how do they justify an investment in cybersecurity when the costs are hard but it is difficult to demonstrate the resulting soft benefits?
This article will provide the reader with a deeper understanding of their security and business risks relative to the ever-changing threat landscape. Understanding how the underground economy operates, the potential financial implications of a cyber incident, and the role of executive leadership is critical to addressing cyber risks and minimizing any potential harm. The healthcare industry must be especially vigilant due to the high value of protected health information (PHI), the relative vulnerability of its systems, and the need to maintain clinical operations and ensure care delivery and patient safety.
Today's Underground Economy
To understand the sheer size of the underground economy, we can look at the very basic metrics of malware production. In 2008, more than 1 million new viruses were produced in a year. That number grew to more than 1 million every day by 2016.2 Malware production is now run as a business that includes tools to build, test, obfuscate, deliver, and manage malware.
The sheer volume of malware presents a challenge as well as an increase in sophistication and ability to target unique applications at specific organizations to reach very specific goals. Even though Windows and Android operating systems are the most common and take much of the heat, any other operating system, database software, application, runtime environment, or website platforms is a potential target.
In addition to malware, the underground economy includes a market for everything of value: information (e.g., stolen identities, intellectual property), hacking tools and services, vulnerabilities (especially the highly prized and priced “zero-day” vulnerabilities3), attack hosting services, distributed denial-of-service attacks, and services provided by hackers-for-hire (i.e., cybercrime as a service [CaaS]4). CaaS has fundamentally changed the underground economy and cybercrime. Today, anybody with money and malicious intent, no matter what the motivation, can hire a “smart guy” or rent the tools to get the deed done.
Reports published over the past few years indicate that stolen health records sell for 10 to 20 times the value of a credit card number.5 In reality, underground market pricing is a bit more complex than that. Recently, stolen Australian Medicare card details were priced at 0.0089 bitcoin per patient, or about $22.6 But mass patient data dumps have also offered discounted prices as low as $1 to $2 per record 7 and we have even seen free data dumps used to support extortion schemes.8 In summary, medical record pricing varies widely based on the intent of the seller and the type of data available. Supply and demand applies all the same to the underground economy.
Table 1 demonstrates additional complexity in this underground economy. The value for simple credit card numbers may indeed be priced below $1, but more complete card information (i.e., full details, magnetic strip information, personal identification number) may price up to $100.
The sheer volume of malware presents a challenge as well as an increase in sophistication and ability to target unique applications at specific organizations to reach very specific goals.
Medical data are generally recognized as having a higher value than other types of data because they are typically:
Very comprehensive. Medical data may include the victim's name, address, date of birth, payment and financial account data, health insurance data, medical history, and sometimes even next of kin or photos.
Long living. Unlike credit card numbers, medical records and insurance numbers are more difficult to change and often have a lifetime value.
Can be monetized in a variety of ways. Medical records can be used for traditional identity theft, medical insurance theft, fraud, drug abuse, blackmail, and extortion.9
Are valuable for political espionage. Combining vaccination information with government employment data may indicate upcoming foreign travel, or state actors may identify government employees with high medical bills who could be open to compromise.
Attractive data held by healthcare organizations are not limited to PHI. They also include personally identifiable information, human resource data (e.g., contracts and salaries), financial and business information, research and intellectual property, and network and system credentials.
The value of medical data is generally believed to be high. However, it can be difficult to benefit from that value. The complexity and effort required to monetize medical data may discourage hackers as many of them tend to be opportunistic.
Ransomware provides a useful example of the evolution of cybercrime trends and how opportunity drives the market. Ransomware is following several trends10:
Attacks are moving from being largely indiscriminate to more targeted.
Hackers are using advanced attack techniques similar to those used in cyberespionage attacks.
The size of ransom demands is increasing. The average ransom demand is now to $1,077, up from $294 in 2015.
More ransomware programs are being released. A record high of 98 new ransomware families were discovered in 2016, up from 30 in previous years.
The advent of CaaS-based ransomware means that a larger number of cybercriminals will participate, including those with relatively low levels of expertise.
Cryptoransomware software is becoming more advanced.
Hackers are developing new models (e.g., encrypting over already ransomed files, fake ransomware that hides a more destructive cyberattack).11
Ransomware attacks have affected the healthcare industry in particular due to its fairly low security posture, the prevalence of legacy or unpatched systems, the relatively high value of data to the organization, and the pressure to restore interrupted operations.
Beyond the confidentiality of health data (e.g., a breach) and its availability (e.g., ransomware), we must also consider its integrity (i.e., accuracy of data). Falsified data could be used to harm a patient, ruin the reputation of a healthcare provider, or reach certain political goals (e.g., the publication of falsified medical records of 2016 presidential candidate Hillary Clinton).12 The tricky part about data integrity is that an attacker may not have to actually manipulate the data. To create uncertainty and even disruption, they just need to create doubt in the accuracy of information.
The Financial Impact of Cyberincidents
In the past, the main cybersecurity items of concern were workstations and servers. Our understanding has evolved and we now focus on the business value of data itself (due to ransomware threats) and also start to consider more complex risk scenarios such as cyber-physical systems (e.g. medical devices, building systems), business operations (i.e., in healthcare, the ability to deliver care), and supply chains (e.g. the Petya ransomware attack on shipping giant AP Moller-Maersk13). Global cybersecurity events have greatly affected businesses (e.g., FedEx's TNT unit may never fully recover from a June cyberattack, and the revenue lost could materially affect financial results14).
The Ponemon Institute is a leader in the in-depth study of the costs of cybersecurity incidents and breaches. Summarizing an editorial by Larry Ponemon, organizations need to realize that15:
Data breaches are now a cost of doing business, and that cost needs to be incorporated into an organization's data protection strategies.
The biggest financial consequence of a data breach is lost business.
Most data breaches are now caused by criminal and malicious attacks. These breaches also take the most time to detect and contain.
The longer it takes to detect and contain a breach, the more costly it becomes.
Highly regulated industries such as healthcare and financial services have the most costly data breaches.
Improvements in data governance and incident response plans will reduce the cost of a breach.
Investments in certain security technologies are important for preventing and reducing the cost of data breaches.
The Ponemon Institute's 2017 Cost of Data Breach Study (United States) reports summarizes financial effects of cybercrime16:
The average cost of a breach has reached an all-time high of $225 per record.
Healthcare organizations had the highest cost of $380 (increased from previous years).
Healthcare has the third-highest churn rate (abnormal customer loss) after a breach (5.5%).
Across all industries, malicious attacks (as compared with a system glitch or human error):
– Remain the largest category of breaches (52%).
– Have the highest cost ($244 per record).
– Take the longest to identify (235 days, on average) and to contain (68 days).
The tricky part about data integrity is that an attacker may not have to actually manipulate the data. To create uncertainty and even disruption, they just need to create doubt in the accuracy of information.
Assessing how a cyberincident affects an organization's finances is complex, and it can be costly to many facets of an organization. In addition to actual hard costs (e.g., information technology [IT] remediation efforts), there are legal and regulatory costs (e.g., fines, lawsuits) and indirect costs resulting from loss of business and effects on reputation.
Studies of the costs related to a security incident examine cyberinsurance claims18 and demonstrate the major financial risk of a security incident (Table 3). Other helpful online tools are available to estimate the likelihood and/or financial effects of a security incident.19–21
Leadership and Business Decision Making
Cybersecurity awareness has not fully reached the executive and board level of the majority of businesses. Many remain stuck in “denial” or “worry” phases. Or, even worse, they may take on a position of false confidence.22 Many may not perceive cybersecurity as a value-add component to their business.23 Cybersecurity requires hard costs but yields soft benefits. This makes it difficult to demonstrate a cybersecurity-related return on investment. Considering those cybersecurity-related investments requires sound judgment in the absence of hard data.24
The Department of Justice provides guidelines to improve the cybersecurity awareness of organizations.27 The guidance includes understanding how a business could be affected by a security incident, establishing a plan for emergency decision making (technical and nontechnical), and assessing the potential legal, regulatory, and compliance impacts of an incident.27 The Information Systems Audit and Control Association provides further cybersecurity guidance for board members,28 and the National Association for Corporate Directors, lays out five key cybersecurity principles29:
Understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue.
Understand the legal implications of cyber risks as they relate to their company's specific circumstances.
Boards should have adequate access to cybersecurity expertise, and discussions about cyberrisk management should be given regular and adequate time on the board meeting agenda.
Directors should set the expectation that management will establish an enterprisewide cyber risk management framework with adequate staffing and budget.
Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
Yet, many executives are at least aware of the problem. A recent study by the Global Business Council25 examined business executives' views of developments that could affect the global business operating environment. Their number-one concern was that that cyberattacks will become more frequent and costly, with 85% believing it to be a likely disrupter over the next 12 months (ahead of concerns around Brexit, political populism, economic and financial volatility, or global commodity pricing). Furthermore, executives rated cybersecurity risks as their leading operational challenge, well ahead of concerns about innovation, business efficiency, and technology adoption. Clearly, cyber risks are becoming an executive and boardroom concern. But is the appropriate action being taken?
The effects of a large cybersecurity incident can reflect a failure of board members to uphold their fiduciary duties. Although technical details about security architecture and day-to-day security decisions should not be a board's concern, enabling a strong cybersecurity posture and being informed about an organization's current state should be. Similarly, technical security leadership (e.g., a chief information officer or chief information security officer) bears the responsibility for communicating cybersecurity issues in the context of what is relevant to the board.
A study by the Health Information and Management Systems Society and Symantec26 from March 2017 revealed that healthcare security budgets are trending up, with 25% now spending 7% to 10% of their IT budgets on security (up from 10% in 2015). Still, 65% of organizations are spending 6% or less. Although the distribution of employees allocated to IT security also increased in 2016 (with 13% of organizations now reporting 6–10 employees and 11% reporting 11–20) budget and staffing were still ranked as the biggest barriers to higher levels of confidence in respondents' security programs (Figure 1).
The Challenges of Healthcare Cybersecurity
All must understand that compliance and cybersecurity are two related-yet-separate objectives. For too long, we have equated compliance with cybersecurity. Too many organizations were perfectly compliant yet still incurred breaches (e.g., Target and Heartland Payment Systems, which were both PCI [payment card industry] compliant30).
In healthcare, we have more than a decade of Health Insurance Portability and Accountability Act Security Rule compliance behind us. Yet, the annual number of breach events stays fairly constant.31 The hard truth is that “compliance” only works if your enemy is the compliance auditor.32 In the real world of security, it is a different battle against a highly skilled, unforgiving, and mostly unknown enemy.
One common conflict is between the need to share security information and best practices (potentially even with competitors) and the perceived business and legal conflicts. The Cybersecurity Sharing Act of 2015 protects and encourages such information sharing.33 Information sharing is a vital resource for critical infrastructure security and resilience, and it is essential to the protection of critical infrastructure (e.g., healthcare).34 For the healthcare industry, the nonprofit National Health Information Sharing and Analysis Center was established in 2010 to share information and intelligence on cyberthreats and vulnerabilities.35
Although technology is the foundation of any good security program, cybersecurity professionals should not fool themselves into thinking that they can win an arms race between attack and defense tools. What is much more important is assembling the right teams, establishing processes that are nimble and adaptable, and developing and implementing a tested incident response plan. Note that incident response is not only a technical process. It also includes business decision making around regulatory reporting, public statements, operations, and care delivery decisions.
Business cybersecurity risks represent both a problem to the individual organizations as well as a concern to our national and global economies. According to a recent study by Lloyds of London, a major, global cyberattack could cause $53 billion in economic losses, which is comparable to catastrophic natural disaster such as Superstorm Sandy in 2012.36 The effects of major global cyberevents (e.g., WannaCry, estimated cost $8 billion; Petya, estimated cost $850 million) are relatively small compared with a potential catastrophic global event.
The hard truth is that “compliance” only works if your enemy is the compliance auditor. In the real world of security, it is a different battle against a highly skilled, unforgiving, and mostly unknown enemy.
A hospital executive, board member, or other business decision maker and his or her peers on the IT and technology side need to think about cybersecurity in business risk terms, not just technical terms. He or she must be willing to accept cybersecurity responsibility by defining the business's risk tolerance, establishing governance, determining the appropriate risk metrics, the right processes, and enabling the technical teams to do their jobs through empowerment, budgeting, and staffing, as well as education and workforce development. Most importantly, decision makers in all organizations must establish a culture that values and practices cybersecurity.
A hospital executive, board member, or other business decision maker and his or her peers on the IT and technology side need to think about cybersecurity in business risk terms, not just technical terms.
References
About the Author
Axel Wirth, CPHIMS, CISSP, HCISPP, is distinguished technical architect at Symantec in Cambridge, MA. Email: [email protected]