Health records are the new goldmine for hackers

According to Top CSO news website, security experts predict that “Health records are worth more and easier to get than credit card data”

The rise in health data breach headlines, may not necessarily suggest an increase in actual data breaches. It’s possible that organizations are just getting better at discovering that they’ve been breached, so it gets more attention than it would have in previous years for credit card frauds.

Health care offers attractive growth opportunities for cyber criminals looking to steal personal information. Such opportunities are giving tight complexion to credit card fraud. Is this really getting as big as credit card frauds happened in recent past years? Every security consulting organization making point on “Forget credit cards now. The hot new data for the modern bad guy is the electronic health record, which is not only worth more on the black market, but is easier to get.”

The latest breach, reported by the health insurer Anthem Inc., follows a year in which more than 10 million people were affected by health care data breaches — including hacking and accidents that exposed personal information, like losing a laptop — according to a government database. The numbers, compiled by the Department of Health and Human Services, show that last year was the worst for health care hacking since 2011, when more than 11 million people were affected.

The rise may be linked to businesses clamping down after massive breaches at Target and Home Depot. That has made it more difficult, in some cases, for cyber thieves, so they’ve turned to health care systems.

Experts say health care companies can offer many entry points for crooks. And once criminals get personal information, they can use it for more extensive and lucrative schemes.

‘‘If someone steals your credit card and home address, they might be able to buy something, but you can usually get that locked down quickly,’’ said Tony Anscombe, a security expert at AVG Technologies. ‘‘With medical records and a Social Security number, it’s not so simple.

Health data also commands a higher price than credit card accounts in the marketplace for stolen information, said Al Pascual, a senior analyst at Javelin Strategy & Research.

Medical identity theft is an ongoing worry, as cybercriminals and Credit card frauds “looking to capitalize on a bigger payout may continue to target the healthcare industry for access to patients’ protected health information.” Such theft has now claimed more than 1.8 million U.S. victims, granting hackers the ability to gain medical services, procure drugs, and defraud private insurers and government benefit programs, according to the Experian report.

“Medical identity theft is a serious threat that needs to be prioritized by healthcare organizations, regulatory groups and consumers,” .”There is no single solution for fraud prevention, meaning we must take a collaborative approach to solving the issue. Industry and government must work together to develop holistic strategies pertinent to the fight against fraud, and consumers should take an active role in advocating for system wide reform.”

Once Anthem discovered the data breach Jan. 29, company officials contacted the FBI and retained Mandiant, a cybersecurity firm, to investigate the attack and review the insurer’s defenses. The intrusion occurred in early December, or possibly earlier, according to a second person briefed on aspects of the case, who also spoke on the condition of anonymity. The FBI said it is investigating the breach, which was reported Thursday by the Wall Street Journal.

Hackers were able to grab some of what experts called the most lucrative and damaging types of stolen personal data. Social Security numbers are an attractive target because they are tough to change and crucial to government, financial and medical use.

A set of complete health insurance credentials sold for $20 on underground markets in 2013 — 10 to 20 times the price of a U.S. credit card number with a security code, according to Dell.

Medical information includes key identifying details that could be used to create a “fake patient” that could fraudulently bill programs such as Medicaid.

“What we’ve seen in the last few years is that attackers have realized the economics of health-care data are very, very attractive,”

The link to Chinese hackers, which was first reported by Bloomberg News, means the attack could be part of a larger campaign, experts say.

The Chinese government hackers targeted health-care providers and insurance companies in the past six months for Social Security numbers and personal identifying information as well as health-care information.

That employee data was stolen in the Anthem hack could indicate that hackers might be preparing for another attack, which would allow them to access internal systems that they were otherwise unable to reach. The health-care industry has struggled to fortify itself against cyberattacks. Hospital groups and health insurers have often grown through buying smaller, regional firms with different technology and no overarching security policy. Many also use older computer systems that have proved more susceptible to attack.

Experts at the security-ratings firm Bit Sight said last year that the health-care industry’s cyber defense showed “signs of serious illness,” posting a bigger increase in security incidents over the previous year than industries such as finance and retail, but with continued failures to respond quickly to threats.

‘‘A health record has everything — financial account information, Social Security number, and health information. ’So protection is very much required.

About the author Archana Chimankar

Archana Chimankar is an Information Security consultant. She has completed MBA in IT Business Management and specializes in Information Security from Symbiosis International University (SIU). Currently working with Tech Mahindra Ltd as a security consultant. She specializes in implementing and auditing various compliance such as ISO 27001 ISMS, IT General controls, BCMS, PCI DSS, SAS70 etc. and delivering security awareness trainings to different clients.

Edited by Pierluigi Paganini

(Security Affairs –  Healthcare,   Health data)