Guest post by Sergio Galindo, general manager, GFI Software.
With stolen medical data selling on the black market at a rate anywhere between 10 to 50 times that of stolen credit card numbers, hackers have a new favorite target – the healthcare industry.
The industry is a sitting duck, and hackers have declared open season. Indeed, we have seen several extremely high-profile penetrations of healthcare companies in the past months, and more are likely in the coming months. Anyone with medical insurance should pay attention to the increasing number of data security breaches.
Consider the three most high-profile security incidents that have recently struck the healthcare industry. Community Health Systems claims that no medical information was exposed when the insurer was hacked, but the breach affected some 4.5 million records within their systems. In February of this year, Anthem reported that a breach resulted in 80 million records stolen, and recently data attackers broke into Premera Blue Cross and obtained medical and financial data of 11 million of their customers, stealing both electronic health records (EHR) and protected health information (PHI).
While stolen credit card data may fetch between $1 and $2 per record, EHRs are far more lucrative for hackers, often going for $20 to $50 per entry. This value stems from several reasons:
- EHRs can contain data that enables identity theft;
- Stolen EHRs can be used to commit insurance fraud;
- Users can use EHRs to obtain medical services and prescription medications; and
- EHRs can also be used for extortion.
It’s worth noting that the value of stolen data increases relative to its longevity as a source of revenue. Credit card numbers are often replaced in 30 to 90 days (a new number issued); business information remains valid for up to three years (price lists, customer database), for example, while medical information can remain valid for more than 10 years. Social Security numbers have the longest ROI for cybercriminals because they last until the individual passes away (and even then they are still used).
Many victims want their medical history to remain private and will pay to keep it so. Fraudulent charges against insurance policies, moreover, may take months to be discovered. These are just a few of the reasons why criminals find healthcare data such a lucrative business.
Anyone in the US who has ever obtained medical services, then seen the “Explanation of Benefits” (EOB) page that comes several weeks later, knows it could be another month or even more before a bill is due. Most probably don’t even review the EOB since it’s not the “real” invoice.
In the United States alone, the healthcare industry is valued at more than $3 trillion annually. With all that money floating around, along with laws like HIPAA and meaningful use, one would expect the healthcare industry to have heavily invested in cybersecurity. Unfortunately it seems to be quite the opposite. According to the FBI’s Cybercrime Division, the healthcare industry is a sitting duck with “inadequate” security measures and lacking the ability to defend against even basic attacks.
Worse still, according to a 2013 study by the Ponemon Institute, almost two out of three healthcare industry organizations suffered a data breach in the past two years, and almost half self-reported that they had not implemented the security measures necessary to protect health information.
Right now, the healthcare industry seems incapable of defending itself against even the most basic attacks. Many companies have chosen – whether consciously or through neglect – to leave unguarded the health information they are required by law to protect. Meanwhile, the very agents tasked with holding insurers accountable – government officials, stockholders, and customers – have stood by and allowed these failings to persist. This failure-by-consensus approach provides hackers exactly what they most desire: an unguarded environment where easy, profitable targets are ripe for the picking.
Turning this vulnerability into a business-safe stronghold requires tougher government enforcement and closer stockholder scrutiny of corporate boards. Consumers should not wait around for these much-needed improvements, however, to safeguard their medical data from black market data bandits. Customers should flex their financial muscle and force insurance companies and other healthcare industry members to get tough.
Meanwhile, we wonder what it will take for the healthcare industry to acknowledge the cybersecurity needs of the 21st century. Should heavier fines be imposed? Would a fine starting at $500,000 shake operators awake? Maybe. But why do operators fail to realize that investing say, one-tenth of that fine on security, is a far more attractive option?
This is the challenge facing the industry. An apparent unwillingness to accept the reality that security is not an option. It’s a must. Security experts have been saying so for almost a decade.
And this is what hackers want. Indecision. Inaction. The lowest hanging fruit also happens to be the sweetest. At times, we pick it for them too. You can hardly blame the hackers for being unable to resist healthcare’s lack of data protection.