As hackers target health care data, sector must get proactive

Better security crucial as cyber criminals realize long-term, lucrative potential of stolen information

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The dis­clo­sures last week of hack­ers crack­ing into Excel­lus Blue­Cross BlueShield and the U.S. Depart­ment of Ener­gy are instruc­tive on sev­er­al levels.

Excel­lus and its par­ent com­pa­ny Life­time Health­care Cos. now join the grow­ing list of major health care organizations—topped by Anthem, Pre­mera Blue Cross and Com­mu­ni­ty Health Systems—reporting mas­sive data breaches.

Excel­lus admit­ted expos­ing more than 10 mil­lion patient records to cyber attack­ers. The stolen data is like­ly to include name, date of birth, Social Secu­ri­ty num­ber, mail­ing address, tele­phone num­ber, mem­ber iden­ti­fi­ca­tion num­ber, finan­cial account infor­ma­tion, and claims information.

Darren Guccione, Keeper Security CEO
Dar­ren Guc­cione, Keep­er Secu­ri­ty CEO

We are in a cyber war and health care orga­ni­za­tions are one of the pri­ma­ry tar­gets,” observes Dar­ren Guc­cione, CEO of pass­word man­age­ment com­pa­ny Keep­er Security.

More: Did same hack­ers hit Anthem, Premera?

Much less is known about the spe­cif­ic dam­age wrought by the attack­ers who got inside the Ener­gy Department’s net­work. Attack­ers suc­cess­ful­ly com­pro­mised DoE more than 150 times between 2010 and 2014, accord­ing to fed­er­al records obtained by USA Today.

In and of them­selves, those met­rics don’t reveal a whole lot. USA Today did not uncov­er con­tex­tu­al details. And DoE is not commenting.

All gov­ern­ment agen­cies are under con­stant attack,” observes Cris Thomas, strate­gist at Ten­able Net­work Secu­ri­ty. “The major­i­ty of these attacks are unsuc­cess­ful, how­ev­er, some do suc­ceed. The key isn’t in try­ing to pre­vent attacks but in detect­ing the suc­cess­ful ones soon­er so as to mit­i­gate dam­ages and recov­er sooner.”

Pre­sum­ably the breach­es USA Today out­ed weren’t mate­r­i­al enough to com­pel the agency to do a pub­lic dis­clo­sure as the Depart­ment of Per­son­nel Man­age­ment had to do as a result of los­ing records for 40 mil­lion peo­ple. We may yet hear oth­er­wise from DoE.

Cris Thomas, Tenable Network Security strategist
Cris Thomas, Ten­able Net­work Secu­ri­ty strategist

Per­haps the most salient les­son from the DoE hacks is that they were exposed only because USA Today filed Free­dom of Infor­ma­tion Act requests to see pub­lic records of the agency’s breach-mon­i­tor­ing doc­u­ments. By con­trast, there are lessons aplen­ty spin­ning out of the Excel­lus hack.

For one, law enforce­ment now should have even more impe­tus to be on alert for signs of bad guys begin­ning to cash in on stolen health care data—at scale.

So far, there is only anec­do­tal evi­dence that stolen health care data has been used to con­duct Medicaid/Medicare fraud, Thomas says. There are clear signs, how­ev­er, that mar­ket dynam­ics are tak­ing shape that will raise the under­ground val­ue of such data.

Health care data is more valu­able in under­ground mar­kets than finan­cial data because there are a lot more dif­fer­ent ways for fraud­sters to mon­e­tize med­ical data—from fil­ing false insur­ance claims, to using the data to acquire med­ical equip­ment or drugs that can then be resold,” Thomas says.

More: 3-part series, Tar­get­ing the health care sector

Hugh Thompson, Blue Coat Systems Inc. CTO
Hugh Thomp­son, Blue Coat Sys­tems Inc. CTO

Dr. Hugh Thomp­son, CTO at Blue Coat Sys­tems Inc., a secu­ri­ty and net­work­ing solu­tions provider, believes it’s a mat­ter of time before the mon­e­tiz­ing of stolen health care data begins to accelerate.

This data has a long shelf life,” Thomp­son says. “A cred­it card can always be can­celled or expire; a person’s health infor­ma­tion, Social Secu­ri­ty num­ber, chron­ic con­di­tions and pre­scrip­tion med­ica­tion infor­ma­tion can­not be wiped out as eas­i­ly and has the poten­tial to cause prob­lems for vic­tims months, years or even decades after it is stolen.”

Cyber crim­i­nals cer­tain­ly rec­og­nize the non­per­ish­able char­ac­ter­is­tic of stolen health care data. So they are mov­ing to steal as much data as they can before health care com­pa­nies final­ly get around to installing more robust secu­ri­ty tech­nol­o­gy and adopt­ing smarter poli­cies and practices.

It is safe to say that we will con­tin­ue to see more attacks against these orga­ni­za­tions,” Thomp­son says. “Much like finan­cial ser­vices com­pa­nies, health care orga­ni­za­tions are always going to be top tar­gets. As attack­ers devel­op the tac­tics to mon­e­tize health care data they will be even more incen­tivized to attack health care organizations.”

Tenable’s Thomas con­curs. “Attack­ers go where there is lots of data and low secu­ri­ty and right now that’s the health­care indus­try,” he says. “We will con­tin­ue to see large high pro­file breach­es in healthcare—these attacks make it more impor­tant than ever that orga­ni­za­tions prac­tice accept­able lev­els of cyber hygiene.

Keep­er Security’s Guc­cione says the deci­sion-mak­ers at health care com­pa­nies of all sizes would be wise to pay heed to this quick­en­ing trend and plan accord­ing­ly. “It’s imper­a­tive that the health care sec­tor take proac­tive, pre­ven­ta­tive mea­sures to bol­ster secu­ri­ty process­es,” Guc­cione says.

More on health care data security:
Cloud use increas­es data secu­ri­ty risk for health care organizations
Health care sec­tor not doing enough to pro­tect patient data
Health care data at risk: Inter­net of Things facil­i­tates health care data breaches

 

 


Posted in Data Breach, Data Security, Featured Story