This year, Reuters reported that the FBI released a private notice to the healthcare industry warning providers that their cyber security systems are lax compared to other sectors. According to the Ponemon Institute, 72 % of healthcare organizations say they are only somewhat confident (32 %) or not confident (40 %) in the security and privacy of patient data shared on HIEs. Personal information found in healthcare records fetches hefty sums on underground markets, making any company that stores such data a very attractive target for attackers. This data includes names, Social Security Numbers, birth dates, telephone numbers, member identification numbers, e-mail addresses, and mailing addresses. In the Premera breach, claim information, including clinical information, was also allegedly affected.
There are so many ways to use monetize medical data. For example, Social Security Numbers and mailing addresses can be used to apply for credit cards or get around corporate antifraud measures. This could explain why attackers have recently targeted U.S. health insurance providers. On March 17, 2015, Premera Blue Cross disclosed that the personal details of 11 million customers had been exposed in a hack that was discovered in January. In February, Anthem, another health insurance provider, said that 78.8 million customer and employee records were accessed in an attack. Credentials that include Social Security Numbers can sell for a couple hundred dollars since the data’s lifetime is much longer compared to pilfered credit card numbers. Since typical targets such as Finance and Retail became much stronger against cyber attacks as they have been targets for decades, the Healthcare industry is now much less secured and more profitable. For example, the medical claim information that attackers in the Premera breach had access to could be used to blackmail victims as well (according to Jeff Schmidt, CEO of IT security firm JAS Global Advisors). Attackers could look for sensitive clinical data, like poor test results, and e-mail patients threatening to make that information public unless they pay a ransom.
We expect healthcare breaches will increase. Healthcare organizations face the challenge of securing a significant amount of sensitive information stored in their network, which combined with the value of a medical identity string makes them an attractive target for cyber criminals.