May 29
2015
Hackers Have Health Data in their Crosshairs
Guest post by Sergio Galindo, general manager, GFI Software.
With stolen medical data selling on the black market at a rate anywhere between 10 to 50 times that of stolen credit card numbers, hackers have a new favorite target – the healthcare industry.
The industry is a sitting duck, and hackers have declared open season. Indeed, we have seen several extremely high-profile penetrations of healthcare companies in the past months, and more are likely in the coming months. Anyone with medical insurance should pay attention to the increasing number of data security breaches.
Consider the three most high-profile security incidents that have recently struck the healthcare industry. Community Health Systems claims that no medical information was exposed when the insurer was hacked, but the breach affected some 4.5 million records within their systems. In February of this year, Anthem reported that a breach resulted in 80 million records stolen, and recently data attackers broke into Premera Blue Cross and obtained medical and financial data of 11 million of their customers, stealing both electronic health records (EHR) and protected health information (PHI).
While stolen credit card data may fetch between $1 and $2 per record, EHRs are far more lucrative for hackers, often going for $20 to $50 per entry. This value stems from several reasons:
- EHRs can contain data that enables identity theft;
- Stolen EHRs can be used to commit insurance fraud;
- Users can use EHRs to obtain medical services and prescription medications; and
- EHRs can also be used for extortion.
It’s worth noting that the value of stolen data increases relative to its longevity as a source of revenue. Credit card numbers are often replaced in 30 to 90 days (a new number issued); business information remains valid for up to three years (price lists, customer database), for example, while medical information can remain valid for more than 10 years. Social Security numbers have the longest ROI for cybercriminals because they last until the individual passes away (and even then they are still used).