How health history is more valuable to hackers than your credit card information

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://betanews.com/2014/11/03/how-health-history-is-more-valuable-to-hackers-than-your-credit-card-information/

A recent article stated that medical records could be sold for up to 20
times more than credit card information on the black market. There are
various factors as to why consumers’ medical information has become so
valuable. This article considers those factors as well as some precautions
medical providers can take to better protect themselves against malicious
threats.

The first thing that needs to be addressed is why hackers prefer to buy and
sell medical records versus credit card information.

If we start with credit card information, we need to address the question
of how much a thief can profit from stealing a credit card? Sometimes zero,
maybe a few thousands of dollars if he or she is lucky. The fraud detection
software that credit card companies deploy is so sophisticated that any
attempt to purchase say a TV, in a state the victim has never been to, is
flagged and rejected immediately. There are whole departments dedicated to
try to track the thief, so that any loss in revenue by the credit card
company is minimalized. In other words, when it comes to stolen credit card
information, there is a low reward for a moderate risk.

Now, take medical records. Most of us probably don’t understand why our
medical history is valuable. Why does is matter who knows our medical
history?

But, in reality, in a thief’s mind the real question is "who would be
interested in paying the most for the medical information I have?" The
answer lies with medical providers.

The advent of electronic records management has created a landscape where a
thief could steal batches (tens of thousands) of patient records in one
fell swoop.  One of the original goals of electronic records management was
to provide seamless access to an individual’s medical records to many. This
way, multiple departments and specialties could all have access to a
singular account of a patient’s medical history. This is great for a
hospital where different departments need to communicate with one another.
> From a security standpoint, however, there are now multiple access points
too. Electronic records are very useful in one sense as they help with
efficiency, document management and overall accountability, but with
anything that has multiple points of entry, there is now more vulnerability
to malicious use.

HIPPA compliancy is also another area of consideration as it also
attributes in some way to the increased value of medical records on the
black market. HIPPA is a federal protection act that medical providers must
adhere to. HIPPA protects a patient’s information, which also has security
safeguards. Any violation by the medical providers or employees could be
pursued by a court of law, criminally and civilly. Simply put, under HIPAA,
medical providers are federally required to keep patient’s information safe.

Finally, reputation must also be taken into account when considering the
value of health records. In the medical community, medical providers get
the majority of their business from referral and reputation. A breach in
security or any unprofessional act by a medical provider could cost them
several patients and therefore business.

Now let’s look at all of the factors together. Electronic records allow
thieves the ability to extract thousands of patients’ records in one
attack. Medical providers are federally required to keep patient’s
information safe through HIPPA. Any violation of HIPPA alone could cost the
medical provider millions. Any known breach of patients’ information would
negatively affect the provider’s reputation, from both a patient and
partner level. This means that millions of dollars and perhaps the medical
provider’s existence could be at stake. In other words when taking into
consideration factors like the storage of electronic records, HIPAA
compliancy and a medical provider’s reputation; when it comes to medical
health data there is a high reward for moderate risk for hackers.

Fortunately, security has become a main topic for medical providers and the
electronic records management vendors that support them.   Security
features like the ones Penango offers where email is encrypted and
authenticated is beginning to be the norm. Two-factor authentication is
also becoming the norm. This is when the user will need to know a password
and have access to the token that generates the time-varying code. While it
is easy to figure out or skim passwords for most user accounts, getting
access to the token is much harder, and an attacker would have to steal the
user’s phone or physical key fob. All these options can help reduce the
risk of an attack.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!