Hackers are thinking about health
[ad_1]
There are fewer information leaks from medical institutions in Russia, but the volume of “merging” information is growing sharply. This increases the proportion of intentional leaks. Now they account for 87.5% of all health-related data that is in the public domain. The volume of both leaks due to hacker attacks, which have become more frequent against the backdrop of hostilities in Ukraine, and deliberate “leaks” by employees of organizations are growing. Information from clinics is becoming an increasingly liquid commodity in the data black market, experts admit. The trend, they believe, could be reversed by increased spending on cybersecurity and the introduction of turnover fines.
“Kommersant” got acquainted with the InfoWatch report on information leaks in the healthcare sector for the first nine months of 2022. It follows from it that in general their number decreased by 5.9% in the world and by 33% in Russia. According to InfoWatch, eight bases of medical organizations “leaked” in the Russian Federation during the specified period. At the same time, the volume of stolen data increased by 775 times, amounting to 31 million records. The company’s specialists explain this bias by leaking information about more than 30 million clients of the Gemotest laboratory network (see “Kommersant” dated May 4).
Separately, InfoWatch notes a noticeable increase in intentional data loss: the share of deliberately stolen databases containing information about clients of Russian medical institutions increased by almost a third: from 58.3% to 87.5%.
DLBI founder Ashot Hovhannisyan attributes the rise in healthcare leaks to a general increase in cyberattacks since the outbreak of hostilities in Ukraine, as well as to the “traditionally low” level of cybersecurity in the sector. The share of health incidents involving hackers in 2022 has more than doubled compared to last year and reached 75%, according to the InfoWatch report. Since the beginning of the conflict in Ukraine, most of the state information systems and large companies have been hacked. For example, the number of ransomware attacks on Russian retail increased by 45% in the first half of the year (see “Kommersant” dated July 25).
If private and public medical organizations do not abandon the “leftover” model of allocating funds for cybersecurity, Andrei Arsentiev, head of analytics and special projects at InfoWatch, emphasizes, the upward trend in information leaks will continue. Spending on cybersecurity should increase, agrees Vladimir Fedin, IT director of the medical company Invitro. At the same time, he notes, most large clinics have already “incurred additional costs” this year to find and implement cybersecurity solutions.
But the focus of companies on external cyberattacks often allows internal violators in medical organizations to go unnoticed, Mr. Arsentiev clarifies: “We also record an increase in deliberate leaks made by clinic employees — the share of such cases has grown from 42% to 50% over the year. Personnel control systems in medical institutions lag behind the current range of threats in terms of the level of implementation of the cybersecurity policy.” At the same time, information from clinics is becoming an increasingly liquid asset in the black market for data, he argues, since “knowledge of information about human health opens up incredible scope for blackmail and threats.”
Until such time as negotiable or “western-level” fines are introduced, businesses will not have an incentive to fully solve the problem of data leakage, Igor Bederov, head of the Internet Search company, believes.
After the leak, Gemotest was fined only 60,000 rubles. (less than $1 thousand). In the same year, the American medical company EyeMed pledged to pay a $600,000 fine for leaking information about 2 million customers.
In the spring, the Ministry of Digital Development proposed amendments to the Code of Administrative Offenses, according to which a company that leaked personal data could be fined 1% of its annual turnover. The fine will rise to 3% if the firm tries to cover up the problem (see “Kommersant” dated May 30). Since the summer, the Ministry of Digital Development has been discussing with business options for a mechanism for compensating harm to affected entities. Thus, the head of the ministry Maksut Shadayev said on November 24 that a mitigating factor for companies that leaked personal data could be compensation for damage to two-thirds of the citizens affected by it.
[ad_2]
Source link