Why Do Hackers Want Your Health Data?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.popsci.com/why-do-hackers-want-your-health-data

Yesterday, major health insurance providers Lifetime Healthcare Companies
and its subsidiary BlueCross BlueShield announced that they had been
hacked, affecting a total of 10.5 million patients. These aren’t the first
healthcare companies to be hacked this year, and they certainly won’t be
the last; though data breaches have become an unfortunate reality for many
companies, health information is especially at risk.

Healthcare data is the cash cow of the hacker world. A hacker will get $10
on the black market for each individual healthcare profile, 10 or 20 times
the amount they would receive for credit card information, according to a
report from Reuters published last year.

Learning a patient’s medications and diagnoses means that a hacker can
order expensive drugs or equipment and resell them, or file made-up claims
with insurance companies and get money in return. They can even commit
medical identity theft to seek free medical care for themselves. And unlike
credit card companies, healthcare providers don’t usually vigilantly
monitor this activity, so hackers can continue to reap benefits from the
same data for years.

As a result, healthcare companies and hospitals find themselves under
constant digital assault, and it’s costing them a total of $6 billion per
year, Bloomberg reports. The companies find themselves ill prepared to ward
off these attacks—81 percent of healthcare organizations have been subject
to attacks in the past two years, according to a survey published last
month by tax audit company KPMG. Earlier this year, healthcare providers
were required to switch over to electronic medical records, making more
patients vulnerable to attacks than ever.

Hospitals and insurance companies are slowly beefing up their digital
security, aided by organizations like the FBI, but the process is slow. In
response to this most recent attack, Christopher Booth, the CEO of Lifetime
Healthcare (the parent company of Excellus BlueCross BlueShield) says that
his organization has, “already taken aggressive steps to remediate our IT
system of issues raised by this cyberattack,” by hiring a digital security
firm to evaluate its current setup, according to a press release.
Apparently, preventing digital attack can only go so far—healthcare
providers seem to only be increasing their security measures once a breach
has already happened.

Both BlueCross BlueShield and Lifetime Healthcare Companies have begun
notifying patients of the security breach and will offer free identity
theft protection and credit monitoring services to those affected.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!