Since 2009, the personal health information of almost 30 million Americans has been compromised. From Partners Healthcare and Anthem to the UCLA Health System and Children’s National Health System, it’s clear that healthcare organizations are a hot target, especially as medical records include exactly the kind of valuable data cyber criminals want to get their hands on. And, since information like social security numbers and birthdates can’t be “turned off” in the ways that stolen credit card numbers can, once cyber criminals get ahold of such records, they can do significant damage with them like counterfeiting patients’ identities.
It is crucial that the healthcare industry be vigilant when it comes to cyber security. From hospitals and insurers, to medical groups and individual practices, health-related organizations must ensure they are taking all possible measures to keep the personal information of their patients – not to mention their own brand reputation and business – safe. That begs some questions: Why are healthcare organizations such a hot target? How are they (and their patients) being targeted, and, and what can the industry do to stay one step ahead of cybercriminals and mitigate the ensuing risks?
What Makes Healthcare a Prime Target?
Healthcare organizations are a large target for many reasons. First and foremost, they possess extremely valuable assets, including the personal, family and billing information of their patients. It isn’t the blood type or cholesterol reports that make electronic health records the most valuable records on the cybercrime black market; it is the virtually complete personal identity information, including social security numbers, parents, maiden names, addresses, emails, children names and, in some cases, complete information of close friends. They are the holy grail of the identity theft world.
Second, the available attack surface in the healthcare industry is very complex. The healthcare industry contains many different organizations that have, over the past few years, moved to electronic systems, but not to a truly centralized electronic system. The reality of today’s healthcare records infrastructure is that there are many networks, data formats, communications protocols, passwords and access points all patched together. Not only is this amalgamated network challenging to maintain, it creates massive opportunities for compromise. Cybercriminals know this.
Healthcare is in the Cybercrime Crosshairs
Doctors are at the center of the healthcare universe. They interact and interface with patients, insurers, services providers and hospitals. Their office networks and smart devices connect with practically every network that affects their business. But doctors are not information technology or security experts. Less than 40 percent of doctors based in the U.S. feel that their cybersecurity processes are above average. Their lack of technical savvy and security knowledge makes them easy pickings for sophisticated cybercriminals. They need education and protection.
Patients are also prime targets. The Affordable Care Act (ACA) has accelerated the dramatic shift of health insurance and medical services to a digital transaction model. With the emergence of affordable individual policies, not tied to employer offerings, and online markets for health insurance, many more individuals are using online recourses to evaluate insurance options, enroll and manage their healthcare. Patients also go online to update their records, view and manage results and appointments, and make payments. Insurers and hospitals use email to communicate and confirm transactions, or to flag issues with accounts or with payments. This is where cybercriminals see their opportunity. Additionally, the ACA has introduced healthcare options – requiring online healthcare management — to many families who are not as familiar with online risks, so they are easy prey for phishing and other cyberattacks.
Reducing the Risk of a Successful Attack
Almost all cyber events start out the same way, with a successful attack on a single individual (an employee, doctor or patient) or device. This initial incursion, whether through malware, social engineering or another means, can lead to illegal network access and records theft over the course of weeks or months. But if a healthcare organization can successfully reduce the risk of a successful first attack, they make it harder for cyber criminals to gain this access.
Guest post by Moshe Ben-Simon, co-founder and vice president of services and research, TrapX Security.
Healthcare is a major market in the United States with annual expenditures that consume almost 17.4 percent of the gross domestic product. Healthcare in the U.S. includes 893,851 physicians, 2,724,570 registered nurses, including physician’s assistants and administrative staff that support them. Additionally, there are approximately 5,686 hospitals that support these professionals directly. The great majority of physician practices now have electronic medical records (EMR/EHR) systems that are all interconnected with the rest of the ecosystem.
The typical hospital is replete with Internet connected systems and medical devices. These devices are also connected to EMR systems that are being deployed at a fast pace across practices and hospitals because of government incentives, such as meaningful use. This creates a highly connected community that brings the most vulnerable devices together with some of the highest value data.
Medical records = big money for organized crime
Healthcare data presents a compelling opportunity for organized crime. Cybersecurity firm Dell Secure Works notes that cyber criminals were getting paid $20 to $40 for health insurance credentials, compared with $1 to $2 for U.S. credit card numbers prior to the Target Breach. The Federal Bureau of Investigation (FBI) issued a private industry notification (PIN) report in April 2014 that noted cyber-attacks will increase against healthcare systems and medical devices because of lax cybersecurity standards and a higher financial payout for medical records in the black market.
As of Mar. 30, 2015, the Identify Theft Resource Center (ITRC) has healthcare breach incidents at 32.7 percent of all listed incidents nationwide. Per ITRC, for the first quarter of 2015, more than 99,335,375 medical records have been exposed and compromised in the United States alone.
As in other industries, the attackers in healthcare may be standalone operators or part of larger organized crime syndicates. The great majority are clearly after valuable healthcare data and economic gain. Health insurance credentials can have a value 20 times that of a credit card on the hacker black market. These attackers know that healthcare networks are more vulnerable and provide greater potential rewards. They have already determined that these vulnerabilities are so extreme as to make healthcare the easiest choice for their attack.
Despite the latest/greatest perimeter network security technology, hackers continue to get in
The risk for ongoing data exfiltration, theft and subsequent HIPAA (Health Insurance Portability and Accountability Act) violations has never been higher. Basic defense-in-depth cyber security products seem to be failing at an increasing rate. The concept of defending a perimeter around hospital networks no longer works against a variety of cyber-attack vectors. Recent studies suggest that most hospitals are unaware of active attackers likely hiding within their medical devices inside their networks already.
These medical devices have become the key pivot points for attackers within healthcare networks. They are visible points of vulnerability in the healthcare enterprise and the hardest area to remediate even when attacker compromise is identified. These persistent cyber-attacks threaten overall hospital operations and the security of patient data.
Most hospital information technology teams are managing a very heavy workload. They must deal with a multitude of vendors and supporting a diverse set of networks across the hospital. Further, they must work to be compliant with HIPAA security rules and other compliance requirements. Cyber security products issue a multitude of alerts and can overwhelm these hospital teams while real cyber security event alerts are perhaps hidden or missed.
Guest post by Sergio Galindo, general manager, GFI Software.
With stolen medical data selling on the black market at a rate anywhere between 10 to 50 times that of stolen credit card numbers, hackers have a new favorite target – the healthcare industry.
The industry is a sitting duck, and hackers have declared open season. Indeed, we have seen several extremely high-profile penetrations of healthcare companies in the past months, and more are likely in the coming months. Anyone with medical insurance should pay attention to the increasing number of data security breaches.
Consider the three most high-profile security incidents that have recently struck the healthcare industry. Community Health Systems claims that no medical information was exposed when the insurer was hacked, but the breach affected some 4.5 million records within their systems. In February of this year, Anthem reported that a breach resulted in 80 million records stolen, and recently data attackers broke into Premera Blue Cross and obtained medical and financial data of 11 million of their customers, stealing both electronic health records (EHR) and protected health information (PHI).
While stolen credit card data may fetch between $1 and $2 per record, EHRs are far more lucrative for hackers, often going for $20 to $50 per entry. This value stems from several reasons:
EHRs can contain data that enables identity theft;
Stolen EHRs can be used to commit insurance fraud;
Users can use EHRs to obtain medical services and prescription medications; and
EHRs can also be used for extortion.
It’s worth noting that the value of stolen data increases relative to its longevity as a source of revenue. Credit card numbers are often replaced in 30 to 90 days (a new number issued); business information remains valid for up to three years (price lists, customer database), for example, while medical information can remain valid for more than 10 years. Social Security numbers have the longest ROI for cybercriminals because they last until the individual passes away (and even then they are still used).