Health records are the new credit cards
- 20 March, 2015 01:33
Forget credit card numbers. The hot new data for the modern bad guy is the electronic health record, which is not only worth more on the black market, but is easier to get.
According to a 2014 BitSight report, the health care industry has been lagging behind when it comes to security effectiveness, "with a worse average rating than the retail industry, including a high volume of security incidents and slow response times," according to Stephen Boyer, CTO and co-founder at Cambridge, Mass.-based BitSight Technologies.
"Health care companies have often been more willing to accept those risks because of a mistaken belief that 'the hackers are after credit card numbers, not electronic health records,'" said John Pescatore, director of emerging trends at Bethesda, MD-based SANS Institute.
Meanwhile, Gemalto's 2014 Breach Level Index showed that the healthcare industry suffered more breaches last year than any other industry, accounting for 25 percent of all breaches globally.
"Cyber criminals are now going after health care records because they hold up to ten times more value on the black market over simple credit card numbers," said Carl Wright, general manager at San Mateo, Calif.-based TrapX.
Electronic health record information can be used for billing scams that go as high as the value of the health insurance policy, to purchase prescription drugs for resale on the black market, and also for run-of-the-mill identity theft.
In addition, recent changes in the health industry mean that many formerly offline, disparate health data sources are now being brought together, said Ivan Shefrin, vice president of security solutions at Cupertino, Calif.-based TaaSera, Inc.
"And attackers are carefully studying and exploiting weak spots in new, vast connectivity," he added.
The healthcare providers and insurance companies are often unprepared for the level of cyberattacks they're facing, he said.
Experts urge firms to reduce attack surface, add authentication, and share info
Encrypting data isn't a 100 percent solution to the issue of data breaches. After all, at some point, people have to be able to look at the information in order to work with it.
But there's a lot companies can do with encryption and tokenization to reduce the amount of time that data spends in unencrypted form, said Gerry Grealish, CMO at McLean, Vir.-based Perspecsys.
This makes the criminals' job a lot harder, and allows security managers to concentrate their efforts on protecting those few vulnerable points.
"In essence, they are trying to find the needle in the haystack," said Grealish. "And if they were ever to locate it, they would find the needle itself is locked down and is under 24-7 monitoring."
Many of the recent breaches involve compromised credentials and abuse of privileges. The attackers get access to a user account, then leverage that access to get them into other accounts, until they find one that gets them to the data that they want.
A second authentication step can make a huge difference.
Like banks that send a text message to confirm unusual transactions, companies can also use out-of-band authentication.
Those extra five or ten seconds, while only slightly inconvenient, could have saved Premera, Anthem, and Target, said John Zurawski, vice president at Chicago-based Authentify Inc.
"The Anthem breach was discovered when a user happened to notice activity against their own account," he said. "If that user had been required to re-authenticate via a separate channel, via their mobile phone for instance, the Anthem breach would have been discovered sooner. I suspect the same is true of Premera."
The Anthem and Premera attacks could be just the beginning, experts say.
"We be open to the possibility that a single incident is just one small part of a larger campaign," said Rich Barger, chief intelligence officer and director of threat intelligence at Arlington, VA-based ThreatConnect, Inc.
According to ThreatConnect's analysis, the Premera hack was being staged since late December 2013.
"Other insurance companies should be looking to Threat Intelligence Platform technology," Barger added.
Threat Intelligence Platforms allow for greatly improved information sharing, aggregation of threat streams and intelligent analysis, and help companies detect sophisticated attacks early enough to shut them down before they do any damage.
"Multiple health insurers have recently detected breaches with similar tactics and timelines, indicating seriously elevated risk levels to health insurers and the healthcare sector generally," confirmed Adam Meyer, chief security strategist at Sterling, VA-based SurfWatch Labs Inc. "I expect the healthcare industry to see increased attacks."
And the damage won't be limited to just the health care sector, he added.
"It increases risk across all industries as employees with plans provided by the impacted insurers are consistently targets of secondary attacks and victims of fraud," he said. "All organizations should review their healthcare industry exposure and assess the impact as a supply chain risk that has a direct impact to the workforce."