Over the last few months, there has been a rash of successful healthcare related cyber-attacks in the news.
These breaches range from hundreds of thousands to tens of millions of compromised records.
- LifeWise Health Plan. LifeWise is notifying more than 250,000 patients who may have had their personal data compromised by a cyber-attack in late January.
- Premera Blue Cross. Hackers may have obtained credit card data, social security numbers as well as medical problems from approximately 11 million customer records.
- Anthem. As many as 80 million affected by massive data breach.
Why are healthcare records such high value targets?
From a financial perspective, healthcare data is much more valuable than credit card data. Once it’s discovered that a credit card has been stolen, it can be immediately closed and that’s the end of its usefulness. However, health record data has many fraud related uses and it’s much more difficult to stop. The data can be used to create fake IDs which can be used for buying and reselling drugs, reselling stolen medical equipment, and more. They have also been used to file false claims (such as with Medicare), false tax returns, and even open credit card accounts.
Who is buying stolen health record data?
This information is often sold through black market websites that are not directly accessible through regular means on the internet. There are generally two types of customers for this data. The first is what you’d expect; criminals that intend to use the data to commit any number of types of fraud. The second is foreign governments looking to commit espionage. Obtaining massive amounts of healthcare data will likely mean they’ll net a fair amount of information on government employees, individuals of interest, elected officials, and families of all three.
What can I do to mitigate the risk to my organization?
While compliance (such as HIPAA and PCI) is not the end-all be-all of security, it is at least a start. It’s also important from a legal perspective – you don’t want to be found out of compliance after a data breach occurs.
Costs associated with a data breach on the scale of even 1,000 records can be staggering once fees associated with lawsuits, remediation, fines and forensic investigations are added up. A properly designed cyber liability policy in conjunction with maintaining compliance will be absolutely critical.
The time to come up with an incident response plan and figure out which cyber security firm to bring in is before the worst happens. There is more involved than simply isolating and remediating computers. Forensic data needs to be collected, analyzed and properly stored in order to identify the scope and impact of the breach. Notifications have to go out to employees, clients and customers – and they must be worded properly as well as sent at the right time. Coordination with legal representation throughout the entire process must be done in order for them to be able to react quickly and protect the business/organization.
If you’d like to learn more or have questions, feel free to contact us any time.