Health records are the new credit cards

Forget credit card numbers. The hot new data for the modern bad guy is the electronic health record, which is not only worth more on the black market, but is easier to get.

According to a 2014 BitSight report, the health care industry has been lagging behind when it comes to security effectiveness, "with a worse average rating than the retail industry, including a high volume of security incidents and slow response times," according to Stephen Boyer, CTO and co-founder at Cambridge, Mass.-based BitSight Technologies.

"Health care companies have often been more willing to accept those risks because of a mistaken belief that 'the hackers are after credit card numbers, not electronic health records,'" said John Pescatore, director of emerging trends at Bethesda, MD-based SANS Institute.

Meanwhile, Gemalto's 2014 Breach Level Index showed that the healthcare industry suffered more breaches last year than any other industry, accounting for 25 percent of all breaches globally.

"Cyber criminals are now going after health care records because they hold up to ten times more value on the black market over simple credit card numbers," said Carl Wright, general manager at San Mateo, Calif.-based TrapX.

Electronic health record information can be used for billing scams that go as high as the value of the health insurance policy, to purchase prescription drugs for resale on the black market, and also for run-of-the-mill identity theft.

In addition, recent changes in the health industry mean that many formerly offline, disparate health data sources are now being brought together, said Ivan Shefrin, vice president of security solutions at Cupertino, Calif.-based TaaSera, Inc.

"And attackers are carefully studying and exploiting weak spots in new, vast connectivity," he added.

The healthcare providers and insurance companies are often unprepared for the level of cyberattacks they're facing, he said.

Experts urge firms to reduce attack surface, add authentication, and share info

Encrypting data isn't a 100 percent solution to the issue of data breaches. After all, at some point, people have to be able to look at the information in order to work with it.

But there's a lot companies can do with encryption and tokenization to reduce the amount of time that data spends in unencrypted form, said Gerry Grealish, CMO at McLean, Vir.-based Perspecsys.

This makes the criminals' job a lot harder, and allows security managers to concentrate their efforts on protecting those few vulnerable points.

"In essence, they are trying to find the needle in the haystack," said Grealish. "And if they were ever to locate it, they would find the needle itself is locked down and is under 24-7 monitoring."

Many of the recent breaches involve compromised credentials and abuse of privileges. The attackers get access to a user account, then leverage that access to get them into other accounts, until they find one that gets them to the data that they want.

A second authentication step can make a huge difference.

Like banks that send a text message to confirm unusual transactions, companies can also use out-of-band authentication.

Those extra five or ten seconds, while only slightly inconvenient, could have saved Premera, Anthem, and Target, said John Zurawski, vice president at Chicago-based Authentify Inc.

"The Anthem breach was discovered when a user happened to notice activity against their own account," he said. "If that user had been required to re-authenticate via a separate channel, via their mobile phone for instance, the Anthem breach would have been discovered sooner. I suspect the same is true of Premera."

The Anthem and Premera attacks could be just the beginning, experts say.

"We be open to the possibility that a single incident is just one small part of a larger campaign," said Rich Barger, chief intelligence officer and director of threat intelligence at Arlington, VA-based ThreatConnect, Inc.

According to ThreatConnect's analysis, the Premera hack was being staged since late December 2013.

"Other insurance companies should be looking to Threat Intelligence Platform technology," Barger added.

Threat Intelligence Platforms allow for greatly improved information sharing, aggregation of threat streams and intelligent analysis, and help companies detect sophisticated attacks early enough to shut them down before they do any damage.

"Multiple health insurers have recently detected breaches with similar tactics and timelines, indicating seriously elevated risk levels to health insurers and the healthcare sector generally," confirmed Adam Meyer, chief security strategist at Sterling, VA-based SurfWatch Labs Inc. "I expect the healthcare industry to see increased attacks."

And the damage won't be limited to just the health care sector, he added.

"It increases risk across all industries as employees with plans provided by the impacted insurers are consistently targets of secondary attacks and victims of fraud," he said. "All organizations should review their healthcare industry exposure and assess the impact as a supply chain risk that has a direct impact to the workforce."

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsbethesdaSANS InstituteGemaltoTrapXBitSightsoftwaredata protection

More about CMOGemaltoInc.SANS InstituteSterlingThreat Intelligence

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place