BreachExchange mailing list archives
Why health hacks are worse than credit card hacks
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 5 Feb 2015 18:18:44 -0700
http://fortune.com/2015/02/05/why-health-hacks-are-worse-than-credit-card-hacks/ Companies in the health care industry have richer data and fewer defenses than those in other industries, making them especially susceptible to attacks. In the largest-ever security breach of a heath insurance company, Anthem WLP revealed on Thursday that the personal data of 80 million customers may have been exposed to hackers. It’s likely that hackers will continue to target health care companies. For one thing, health data is a richer source of personal information than credit card data. Among the bounty: social security numbers, e-mail addresses, birthdays, street addresses, policy numbers, diagnosis codes, billing information, and the names of family members—the sort of information used in security questions for online accounts. Malicious hackers can use that information for what’s sometimes called a “soft hack,” or unauthorized entry without the use of sophisticated software. Identity thieves can gain access to a person’s account by guessing the right answers to security questions and resetting a password. With the right combination of family and personal information, a thief can also use fake identities to score drugs from pharmacies. This is a major reason why stolen health credentials are worth 10 times more than credit cards on the black market, according to Reuters. Secondly, health care companies haven’t focused on security as much as other industries have, and have been known to rely on outdated software. “Healthcare organizations have invested less in IT, including security technologies and services than other industries,” says Lynne Dunbrack, a vice president at market research firm IDC. That’s true for insurers in part because they aren’t incentivized to make security a priority. Their end customers often have little choice as to which provider they use, since that choice is typically made by employers. Insurers are not likely to lose as much business over a data breach as, say, a retailer. For example, it is much easier for a shopper to choose Walmart WMT over Target TGT after the latter suffered a massive security breach last year. In general, companies that administer their data in servers located on-premise are often less secure than companies that rely on major cloud computing vendors, according to Kevin Spain, a general partner at Emergence Capital. “The most vulnerable systems tend not to be cloud-based because security is what they do,” he says. A hack like this may not ruin a health insurance company like Anthem, but it could destroy a cloud software company like Salesforce, Spain says: “That’s why there’s a different level of priority.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Why health hacks are worse than credit card hacks Audrey McNeil (Feb 11)