This year, Reuters reported that the FBI released a private notice to the Healthcare industry warning the providers that their cybersecurity systems are weak as compared to other sectors. According to a survey done by the Ponemon Institute, 72% of healthcare organizations say that they are either somewhat confident (32%) or not confident (40 %) at all in the security and privacy of the patient data shared through the HIEs. Personal information found in healthcare records has a high price on the black market, which makes any company that stores such data a tempting target for attackers. This data includes names, Social Security Numbers, birth dates, telephone numbers, member identification numbers, e-mail addresses, and mailing addresses. In the Premera breach, allegedly, medical claim information, including clinical information, was also compromised.
There are so many ways to misuse medical data. For example, Social Security Numbers and mailing addresses can be used to apply for credit cards or to get around corporate antifraud measures. This explains why attackers have targeted U.S. health insurance providers recently. On March 17, 2015, Premera Blue Cross disclosed that the personal details of 11 million customers had been exposed to a hack discovered in January. In February, Anthem, another health insurance provider, stated that 78.8 million customer and employee records were accessed as a result of an attack. Credentials including Social Security Numbers can be sold for a couple of hundred dollars since the lifetime of this data is much longer in comparison to pilfered credit card numbers. Typical targets, such as Finance and Retail, are now more protected from cyber attacks as they have been targeted for decades, but the Healthcare industry is less secured and may bring more profit to an attacker. For instance, the medical claim information, which attackers in the Premera breach accessed, could be used to blackmail victims (according to Jeff Schmidt, the CEO JAS Global Advisors, an IT security firm). Attackers can use sensitive clinical data, such as poor test results, and e-mail patients threatening to make the information public unless a ransom is paid.
We expect the number of breaches in the Healthcare industry to increase. Healthcare organizations face the challenge of securing a significant amount of sensitive information stored in their networks, which combined with the value of a medical identity string makes them an attractive target for cybercriminals.