Hackers target health care as industry goes digital

Medical fraud could increase as hackers gain sensitive medical information on victims

With more health providers and insurers incorporating IT into clinical care, hackers are viewing the health care industry as their next target.

"Cybercriminals know that the health industry is moving into EHRs and there's more data to steal," said Ann Peterson, program director at the Medical Identity Fraud Alliance, an organization that works to reduce medical fraud.

Electronic health records, or EHRs, are increasingly being used by hospitals and doctors' offices to store information such as test results and treatment plans, along with data such as patient names, Social Security numbers and birth dates.

Health insurance companies also use EHRs and store other personal data, such as credit card details, making them attractive targets for hackers. This week, Anthem, one of the largest health insurers in the U.S., said sensitive information on possibly 80 million employees and customers had been exposed during a cyberattack. The information thieves made off with included patient names, Social Security numbers, birth dates and medical identification numbers.

The information can be pieced together and used to commit a variety of types of fraud, making it lucrative for hackers. Social Security numbers, for example, can be used to gain access to bank accounts, noted John Kindervag, a principal analyst at Forrester Research.

By targeting Anthem, hackers were able to access information that is commonly used to reset user names and passwords, said Ian Campbell, CEO of Nucleus Research. People are sometimes asked to enter their mother's maiden name when signing up for services, for example. Since this information is static, it can be combined with a person's email address to reset a person's email account.

"People should ask 'Will I have a problem 10 years from now because someone knows information that's not normally available?'" he said.

The health care industry is especially vulnerable compared to retailers and banks, which are more accustomed to cyberattacks, said Lynne Dunbrack, research vice president at IDC Health Insights.

"Cybercriminals tend to think of health care organizations as soft targets. Historically, they haven't invested much in IT, and security specifically," she said.

The Anthem breach could affect its finances, Dunbrack said. The U.S. Health Insurance Portability and Accountability Act, which aims to keep health care data private, requires that Anthem notify each victim, a process that costs about US$350 per record, Dunbrack said. Companies that violate HIPAA can face substantial fines. Last year, a New York City hospital was fined $4.8 million after it posted the medical data of 6,800 patients to the Web.

Health care breaches can also lead to an uptick in medical fraud, Peterson said. Health records contain insurance details that people can use to impersonate a hacking victim to receive care. Some insurance plans cover costly procedures that others don't, so there's a demand for credentials to access better coverage.

A set of medical data that can be used to receive care may fetch between $20 and $200 on the black market, Dunbrack said.

Fraud victims often don't realize they've been attacked until it's too late. They might receive a notice from their insurer for treatment they never received. Or they may find out in a more dramatic fashion, such as having an allergic reaction to a drug after an imposter altered a medical record.

"It can be deadly, depending on the level of compromise to the medical records and how much of their data is co-mingled with your data," said Dunbrack.

People need to be as vigilant about protecting and reviewing their medical data as they are with their credit card information, said Peterson at the Medical Identity Fraud Alliance, noting that laws protect people only to a degree.

"We need to do our part and be aware of our medical information," he said.

Fred O'Connor writes about IT careers and health IT for The IDG News Service. Follow Fred on Twitter at @fredjoconnor. Fred's e-mail address is fred_o'connor@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags Anthemsecurityhealth careindustry verticals

More about Forrester ResearchFredFred'sIDGNews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fred O'Connor

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place