Why health hacks are worse than credit card hacks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://fortune.com/2015/02/05/why-health-hacks-are-worse-than-credit-card-hacks/

Companies in the health care industry have richer data and fewer defenses
than those in other industries, making them especially susceptible to
attacks.

In the largest-ever security breach of a heath insurance company, Anthem
 WLP  revealed on Thursday that the personal data of 80 million customers
may have been exposed to hackers.

It’s likely that hackers will continue to target health care companies. For
one thing, health data is a richer source of personal information than
credit card data. Among the bounty: social security numbers, e-mail
addresses, birthdays, street addresses, policy numbers, diagnosis codes,
billing information, and the names of family members—the sort of
information used in security questions for online accounts.

Malicious hackers can use that information for what’s sometimes called a
“soft hack,” or unauthorized entry without the use of sophisticated
software. Identity thieves can gain access to a person’s account by
guessing the right answers to security questions and resetting a password.
With the right combination of family and personal information, a thief can
also use fake identities to score drugs from pharmacies. This is a major
reason why stolen health credentials are worth 10 times more than credit
cards on the black market, according to Reuters.

Secondly, health care companies haven’t focused on security as much as
other industries have, and have been known to rely on outdated software.
“Healthcare organizations have invested less in IT, including security
technologies and services than other industries,” says Lynne Dunbrack, a
vice president at market research firm IDC.

That’s true for insurers in part because they aren’t incentivized to make
security a priority. Their end customers often have little choice as to
which provider they use, since that choice is typically made by employers.
Insurers are not likely to lose as much business over a data breach as,
say, a retailer. For example, it is much easier for a shopper to choose
Walmart  WMT  over Target  TGT  after the latter suffered a massive
security breach last year.

In general, companies that administer their data in servers located
on-premise are often less secure than companies that rely on major cloud
computing vendors, according to Kevin Spain, a general partner at Emergence
Capital. “The most vulnerable systems tend not to be cloud-based because
security is what they do,” he says. A hack like this may not ruin a health
insurance company like Anthem, but it could destroy a cloud software
company like Salesforce, Spain says: “That’s why there’s a different level
of priority.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!