Healthcare has remained on the fringes of direct cyber targeting, but the value of health data now places many organizations inline for a cyber catastrophe. Today, a government report found security vulnerabilities in a national health care database that could impact millions of Obamacare patients. The Obama administration acted quickly to resolve the issues. In this case, the organization got lucky and pre-empted an attack as far as they know.
Health data is an easy target because many organizations only have Health Insurance Portability and Accountability Act (HIPAA) to guide them for security. It is painfully obvious that with recent events, the requirements of HIPAA are not sufficient to ensure security of health data. Just like with The Payment Card Industry Data Security Standard (PCI DSS), minimum compliance with HIPAA regulations does not lead to protection of all health data. HIPAA only requires that organizations “[i]mplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…”
Risk management requires forethought and an understanding of the threat landscape in order to be effective; especially for large organizations. Prior to a couple years ago, there was no credible threat with regards to the theft of health data because large breaches did not occur. However, the threat landscape has changed and there is now demonstrable evidence that healthcare is being directly targeted. Therefore, the measures sufficient to reduce risk and vulnerabilities require increased protection and defense commensurate with the increased threat emerging.
The threat itself has emerged because the value of health data can sell upwards of $50 to $70 per record – for the hacker entrepreneur. Likewise, health data, especially social security numbers, can be used for intelligence and counterintelligence information for national- and political-minded organizations. The tally for recent healthcare breaches is staggering: Anthem, 80 million records; Premera, 11 million records; CareFirst, 1.1 million records; Community Health Services, 4.5 million records; Advocate Medical Group, 4 million; Utah Medicaid, 780 thousand; South Carolina HHS, 6.4 million; and the list goes on and on of records exposed or stolen.
Some of these records were exposed because of a lost or stolen laptop, but others were stolen due to social engineering. Anthem has a website called wellness.com. The attackers created a website we11ness.com, that looks so alike to the real web address that it could easily be overlooked in a URL bar. Premera’s website was spoofed with prernera.com – putting the “r” next to the “n” simulates the “m” in Premera. Spoofed websites are setup to look just like the original websites, except when you put in your username and password, the data is collected by the attackers.
While this tactic seems immature, it is easily implemented and can yield high results for the bad guys. But why would advanced adversaries want health information? One reason is to track individuals suspected of being political dissidents or intelligence operations. Another reason is to leverage the PII information in the health records to create fake identities.
The bottom line is that, as the events of the past 12 months have demonstrated, healthcare information is an attractive target for attackers and the motivation will persist for the foreseeable future. While cyber attacks aren’t unique to healthcare, this industry is highly targeted since companies are limiting their cybersecurity strategy to meet regulatory compliance. The protection of data and consumer privacy is not an IT department problem. Companies need a holistic approach, a way to integrate all layers – customer data security, incident preparedness, legal counsel, anticipation to emergent threats, compliance, and a sense that every employee has a responsibility to protect data.