Medical Data in the Crosshairs: Why is Healthcare an Ideal Target?

In May of 2015, healthcare company Carefirst Blue Cross and Blue Shield made news after it was hit by a data breach that exposed sensitive data of its customers based in Maryland, Washington, and Virginia. Valuable personal information of the healthcare insurer’s 1.1 million-customer base got compromised, including social security numbers, financial records, passwords and credit card credentials.  CEO Chet Burrell expressed dismay and regret before assuring customers that necessary actions were being undertaken to repair damages caused by the incident.

This isn’t the first incident where healthcare companies appear to have fallen short on security, leaving them vulnerable to cybercriminal schemes. In fact, Carefirst—said to be the “third Blue Cross and Blue Shield company” to become subject to cyber-attacks—is a considerably small addition to the pile of incidents looked into by the authorities and security experts on the burgeoning problem of healthcare as the new cybercrime target.

Healthcare under attack

In the past decade, attackers have regularly hit targets such as retailers and even banks to mine banking and other financial credentials that will translate into profit. They've since cast a wider net on other industries, showing that even the most unlikely of victims and most formidable of institutions could easily be preyed on by online crooks. Companies, big and small, have become targets. In turn, customers have grown uneasy about their security.

Over the past year, the financial sector is still being hit, but healthcare companies are being hit harder. It begs the question: Why are healthcare companies being targeted? 

In a nutshell, it's all about the data.

Healthcare service providers have huge database that serve as a repository of customer information that's more extensive than any other industry or organization—the type that, when stolen, cannot be easily replaced. Trend Micro Global Threat Communications Manager Christopher Budd notes, “Healthcare data represents the ‘holy grail’ in terms of data theft. When credit card data is stolen, the criminals can use that only until the credit or debit cards are cancelled.  But how do you ‘cancel’ your social security number? You can’t.”

Troves of mined data from healthcare companies are good as gold for cybercriminals as these can easily be used for identity theft and other schemes, from opening accounts using stolen identities, resale in the black market, and even for blackmail. It has already been proven that this data isn't as secure, making for an even more ideal target.

The Identity Theft Resource Center (ITRC) supports this by saying that four out of ten breaches recorded from 2005 to 2014 zoomed in on the medical or healthcare industry as their prime attack target. The US Department of Health and Human Services also said that since 2009, cybercriminals have compromised data of over 120 million customers from more than 1,100 different breaches on healthcare organizations. This only goes to show that medical information is highly valuable in the eyes of the attackers.

2009-2015: A timeline of healthcare breaches

Healthcare-related breaches have been reported since 2005, but it was in 2009 when attackers have started amassing records that exceeded the 4 Million mark. That year, the Virginia Department of Health made the headlines with a reported breach that involved 8 Million customer records and over 35 million prescriptions from a hacker that demanded $10 Million in return.

In 2011, the United Kingdom's National Health Services reported "human error" as the primary reason for compromising over 8 Million unencrypted patient records. Laptops where unencrypted patient records resided were reported stolen, which resulted in the breach that exposed their customers' information.

2013 saw a big breach that exposed more than 4 Million patient records from the Advocate Medical Group. The incident was blamed on the lack of strong encryption measures employed on four stolen computers, exposing their customer's names, addresses, dates of birth, and social security numbers to cybercriminals.

Between 2012 and 2014, cybercrimals started to ramp up attacks on the healthcare industry, which remarkably suffered more than the business, military, and government sectors. In fact, the number of health care service provider victims has grown almost fourfold in 2014 from when it was first observed in 2005.

In 2014, Tennessee-based hospital operator Community Health Systems (CHS) announced a security breach that resulted in the loss of personal data of over 4.5 million patients. The attackers,  circumvented the company’s security systems to collect five years’ worth of personal data from names, addresses, dates of birth, telephone numbers, and security systems.

The sophistication of the technique used in the CHS breach led showed that attackers are adopting new methods to infiltrate target systems—more advanced methods that didn't require physical contact with the target systems, such as the need to steal or illegally access computers and laptops.

This is highlighted by the massive attack carried out on Anthem Inc., the second largest health insurer in the United States, that was announced last February. The attack, said to have begun in April 2014, employed the use of custom backdoors to amass valuable information belonging to over 80 million former and current customers and even employees of the company. While Anthem CEO Joseph Swedish said that “no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised,” names, birthdays, member IDs, social security numbers, phone numbers, email addresses, and employment records were still compromised.

Approximately over a month after Anthem’s announcement, Premera Blue Cross divulged a breach in March of 2015 that exposed medical and financial information of over 11 million customers. Discovered at the tail-end of January this year, Premera shared that the initial attack occurred on May 2014.  While the company said that no evidence shows the removal or “inappropriate use” of information from the company’s system, names, dates of birth, email addresses, addresses, telephone numbers, social security numbers, member ID numbers, bank account information, claims information, clinical information that dates back to 13 years were said to have been exposed to possible risk from the attack.

How can companies secure healthcare data?

Trend Micro’s 1Q 2015 Security Roundup showed why healthcare service providers have become a goldmine for cybercriminals.

With retail companies, banks and other commonly-targeted organizations in the past boosting more robust security measures, online criminals are more likely to target less-secure organizations. Security researchers have indicated that the healthcare industry is “behind other industries when it comes to security.” In fact, the FBI has issued a well-founded warning a year ago on the “lax cybercsecurity systems” used to protect healthcare information, which is considered even more valuable on the black market that credit card credentials. At the rate the healthcare industry is responding, we might be n for even bigger attacks soon.

While earlier attacks on the health care industry were facilitated by the theft or loss of unencrypted laptops and other devices, it's no longer the case. Sophisticated schemes are now in play and organizations need to invest in measures and solutions built to keep up with the threats coming their way.

Protecting healthcare information involves covering all bases of cybersecurity: guarding patient portals, proactively preparing against data loss, detecting breaches, auditing for compliance, safeguarding medical devices, securing legacy systems, and watching out for all possible endpoints that may be attacked.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.