Our own Rob Juncker, V.P. of research and development for Shavlik, has predicted that Healthcare breaches will rapidly increase in 2015. Now that hackers are getting smarter about attacking endpoints to glean credit card data from retailers, they are looking for more creative ways to make money. In the hacker’s community, credit card data is worth about $1 per card, whereas protected health information (PHI) is currently worth about $10 per record and rising.
Why the discrepancy in price? Because hackers can do more nefarious activities by submitting fraudulent healthcare claims or by buying and selling drugs and medical equipment for financial gain. Credit card companies are just plain better than insurance companies at detecting and shutting down fraudulent activity. Credit card companies also have the option to change your credit card number, whereas your patient data cannot change. Medical fraud could last for years before it is detected and corrected.
Now that Mr. Juncker has made the prediction, 2015 brings us our first major health record breach with Anthem, whose brands include Anthem Blue Cross/Blue Shield and others. The potential theft could be as big as 80 million records and include names, social security numbers, birth dates, policy numbers, diagnosis codes and billing information. The overall security problem is exacerbated by outdated equipment, demands from doctors to use mobile devices, and the loss or theft of devices used by multiple health workers.
So what can healthcare and IT organizations do? The first step is to simply keep up with the latest updates and patches. Once a software vendor such as Adobe releases a patch, hackers now know there is a security hole. Shavlik is seeing an increase of vulnerabilities coming from third-party applications outside of the OS. Patching both the OS and third-party applications is critical to keeping them secure and the data safe.
Vulnerabilities exist on the end-point because they are often unpatched and neglected. IT has enough on its plate to try and keep all the software on every system up-to-date. But in the wave of the latest breaches, it becomes imperative to do so.
As we see healthcare staff requesting more mobile devices such as tablets, we will see more loss and theft of devices that will contain PHI data. Having methods to encrypt the critical data such as email and attachments will greatly decrease the risk.
As a healthcare provider, what does it mean to you? As in retail, security is more and more of an issue that needs to be addressed. Healthcare organizations are now under scrutiny to comply with HIPAA regulations. Anchorage Community Mental Health Services (ACMHS) was fined $150,000 after 2,700 health records were stolen in an attack. They were attacked simply because they were not patching software!
Beware healthcare. 2014 was the year of retail breaches. 2015 is the year of healthcare breaches!