Recently, on Dark Reading, Sara Peters and Ericka Chickowski wrote a great piece that ran about PII-centric attacks and threats in the healthcare market.
As the Health Care marketplace moves online, opportunistic criminals are retraining their attacks to focus on Health Care consumers.
Over the past decade, there has been enormous pressure on the healthcare industry to move health records online. Today, according to studies recently published by the U.S. Department of Health & Human Services, almost 90 percent of all doctors and almost 75 percent of all hospitals have deployed at least a basic electronic health record system. And, these adoption rates have soared over the past five years. Insurance reimbursements have been managed online for years, and healthcare enrollments through employers are increasingly managed through a Web browser. The rollout of the Affordable Care Act, with its online purchase model, further accelerated the migration of healthcare to a predominantly online model.
Of course, when markets move online, the cyberattack rate grows dramatically. Health care companies saw a 72 percent increase in cyberattacks from 2013 to 2014, according to Symantec. The vast majority of these attacks are quick cash grab schemes – simple phishing, ransomware or other such ploys. But, PII attacks are different – they focus on mining personal data that is quickly sold on the black market. And, in today’s black market for personally identifiable information, stolen healthcare records and healthcare data are among the most lucrative commodities.
Why? Healthcare records are not under the same daily scrutiny as bank accounts and credit cards. A stolen credit card activates a known and field-hardened sequence of events at banks, credit card vendors and retailers – the stolen card is only active for a short period of time. But, a health record is very different – it contains many more discrete pieces of personal data – names, dates of birth, social security numbers, addresses, phone numbers, cell phone numbers, spouse names, parent names and more. And, it is not able to be “shut down” the way a credit card can be shut down. A stolen health record is more like a kit for manufacturing counterfeit identities.
So, my questions for you are simple ones: What steps are you taking to protect your clients’ healthcare data from criminals who are exploiting your brand, IP, and customer trust? Do you have the right level of cyber threat monitoring and analysis in place to protect your institution and your clients from online threats?