As hackers target health care data, sector must get proactive
Better security crucial as cyber criminals realize long-term, lucrative potential of stolen information
By Byron Acohido, ThirdCertainty
Excellus and its parent company Lifetime Healthcare Cos. now join the growing list of major health care organizations—topped by Anthem, Premera Blue Cross and Community Health Systems—reporting massive data breaches.
Excellus admitted exposing more than 10 million patient records to cyber attackers. The stolen data is likely to include name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information, and claims information.
“We are in a cyber war and health care organizations are one of the primary targets,” observes Darren Guccione, CEO of password management company Keeper Security.
Much less is known about the specific damage wrought by the attackers who got inside the Energy Department’s network. Attackers successfully compromised DoE more than 150 times between 2010 and 2014, according to federal records obtained by USA Today.
In and of themselves, those metrics don’t reveal a whole lot. USA Today did not uncover contextual details. And DoE is not commenting.
“All government agencies are under constant attack,” observes Cris Thomas, strategist at Tenable Network Security. “The majority of these attacks are unsuccessful, however, some do succeed. The key isn’t in trying to prevent attacks but in detecting the successful ones sooner so as to mitigate damages and recover sooner.”
Presumably the breaches USA Today outed weren’t material enough to compel the agency to do a public disclosure as the Department of Personnel Management had to do as a result of losing records for 40 million people. We may yet hear otherwise from DoE.
Perhaps the most salient lesson from the DoE hacks is that they were exposed only because USA Today filed Freedom of Information Act requests to see public records of the agency’s breach-monitoring documents. By contrast, there are lessons aplenty spinning out of the Excellus hack.
For one, law enforcement now should have even more impetus to be on alert for signs of bad guys beginning to cash in on stolen health care data—at scale.
So far, there is only anecdotal evidence that stolen health care data has been used to conduct Medicaid/Medicare fraud, Thomas says. There are clear signs, however, that market dynamics are taking shape that will raise the underground value of such data.
“Health care data is more valuable in underground markets than financial data because there are a lot more different ways for fraudsters to monetize medical data—from filing false insurance claims, to using the data to acquire medical equipment or drugs that can then be resold,” Thomas says.
Dr. Hugh Thompson, CTO at Blue Coat Systems Inc., a security and networking solutions provider, believes it’s a matter of time before the monetizing of stolen health care data begins to accelerate.
“This data has a long shelf life,” Thompson says. “A credit card can always be cancelled or expire; a person’s health information, Social Security number, chronic conditions and prescription medication information cannot be wiped out as easily and has the potential to cause problems for victims months, years or even decades after it is stolen.”
Cyber criminals certainly recognize the nonperishable characteristic of stolen health care data. So they are moving to steal as much data as they can before health care companies finally get around to installing more robust security technology and adopting smarter policies and practices.
“It is safe to say that we will continue to see more attacks against these organizations,” Thompson says. “Much like financial services companies, health care organizations are always going to be top targets. As attackers develop the tactics to monetize health care data they will be even more incentivized to attack health care organizations.”
Tenable’s Thomas concurs. “Attackers go where there is lots of data and low security and right now that’s the healthcare industry,” he says. “We will continue to see large high profile breaches in healthcare—these attacks make it more important than ever that organizations practice acceptable levels of cyber hygiene.
Keeper Security’s Guccione says the decision-makers at health care companies of all sizes would be wise to pay heed to this quickening trend and plan accordingly. “It’s imperative that the health care sector take proactive, preventative measures to bolster security processes,” Guccione says.
More on health care data security:
Cloud use increases data security risk for health care organizations
Health care sector not doing enough to protect patient data
Health care data at risk: Internet of Things facilitates health care data breaches