Hackers have found a new target industry to steal sensitive information and reap financial gains- Healthcare.
“IBM is calling 2015 the year of the healthcare security breach with 91% of healthcare organizations reported at least one breach over the last year.”
We saw a number of healthcare breaches that made the news lately, particularly involving large insurance companies and data clearinghouses. One of the latest breaches being Excellus Blue Cross Blue Shield on August 5 that discovered attackers may have gained access to personal information for as many as 10 million individuals, including name, date of birth, Social Security Number, mailing address, telephone number, member identification number, financial account information, and claims information.
Many people are shocked at the sudden outburst of breaches in healthcare and wonder why are hackers interested in attacking this segment? Why is this information so valuable for hackers and what are they gaining out of it? This blogpost aims at answering these very questions.
Why have Healthcare breaches become common?
Systems are old and complex
Healthcare industry lags behind immensely in tackling cyber threats and malware. Healthcare companies are not paying attention to cybersecurity primarily because of the high cost of securing infrastructure. Many big companies have obsolete applications and security systems that break more frequently, are harder to patch and are easy to exploit. Working and reworking on these systems result in a much higher cost of operation.
Health IT is 95% manual work
While dealing with cybersecurity, manual work is a risk and can result in errors. When engineers manually patch a vulnerability on hundreds of servers, the chance of missing a critical update is high, which creates an open door to hackers.
In case of a security threat, system engineers dig through the logs of individual applications or worse, individual servers to locate the problem. Though this may take hours of time taking to solve a threat while the hacker would wreck a havoc in your environment.
HIPAA compliance alone is insufficient to secure your data & network
Although Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data, however, the law in itself isn’t foolproof in keeping the data safe. A good example of this is encryption. Encryption is not a requirement under HIPAA but it is important to keep the data encrypted to avoid data stealing.
Moreover, hackers have become more strategic & advanced in their attacks. Healthcare organizations need to go above and beyond required functions to truly secure their environments.
Health data is valuable
According to Reuters, people’s health record are ten times more valuable than credit card records. Hackers have already stolen hundreds and millions of healthcare records and making good money by selling them in the black market. There are plenty of other ways hackers use healthcare data to make profits, let’s take a look at them -
Why do cyber criminals target healthcare?
To understand this, let’s do a comparison between a financial data threat and a healthcare data threat. When a person’s financial data is stolen, he immediately blocks the card the second he comes to know of the fraud, leaving a finite lifespan for hackers to tamper with the data. On the other hand, when healthcare records are stolen, hackers get rich identity data such as social security numbers, medical & prescription records which take relatively longer time to cancel. This means a much longer shelf life for hackers to take unfair advantage of the data.
Another reason is obviously the huge monetary profits that hackers make by selling these records. The FBI said recently criminals can sell healthcare information for as much as $50 a record. For the attackers who targeted Excellus, that's easily $500 million worth of information they have on hand, if they chose merely to sell them on the black market.
There’s yet another reason that Angel Grant, senior manager for anti fraud solutions at RSA discloses - "Health insurance credentials are especially valuable in today's economy because health care costs are causing people to seek free medical care with these credentials"
Healthcare industry needs to buckle up their infrastructure security and take effective measures for securing patient data. That's exactly what our next post will talk about - Security measures that healthcare industry should take to fight cybercrimes. Stay tuned!
Meanwhile, do share your thoughts on how do you think healthcare industry can fight cyber crimes? I would be glad to add it to my list in the next post!