Cybercriminals have already begun targeting additional medical records by launching more malware and phishing attacks as they prey on retailers in a concerted effort to steal more identities and sell them in 2016.
Hackers launched rampant attacks last year as many health care and insurance companies were targeted, including Premera Blue Cross, Anthem, Excellus BlueCross BlueShield, CareFirst BlueCross BlueShield and UCLA Health along with the federal government’s Office of Personnel Management, revealing detailed personal information of hundreds of millions of consumers, including their Social Security numbers and bank account information. This stolen information means consumers are extremely susceptible to identity theft and fraud.
Thwarting these cybercriminals will be daunting as hacking becomes ubiquitous and widespread, leaving very little personal data -- ranging from driver’s license numbers to credit scores -- unscathed.
Medical Records Remain a Target
Cybercrimes are the “new health care crisis” as the data breaches over the past five years has led to over 143 million compromised patient records with only more to come, said Oscar Marquez, chief technology officer at iSheriff, a Redwood City, Calif.-based provider of enterprise cloud security solutions. Patient data has largely been immune to attacks in the past as hackers focused on retailers and financial institutions, but now is a prime target, because medical records contain a wealth of information such as Social Security numbers, insurance ID numbers, credit card numbers, addresses and medical history and can be easily used as a weapon to commit fraud, financial theft and identity compromise, he said.
“In 2016, the health care sector will continue to represent a juicy target for cybercriminals, because medical data has more lasting value than other types of information,” Marquez said. “A stolen credit card can be cancelled and fraudulent charges disputed, but resolving medical identity theft is not as straightforward.”
Medical identity theft is burgeoning as a large cottage industry, since these records sell for 10 to 20 times higher than credit card records on the black market, he said.
The largest culprit of these massive breaches could easily be tracked back to the health care insurance industry, because for years these companies neglected updating their technology and cybersecurity, which led to hackers figuring out they will not encounter “much resistance” gaining access to these networks and they are able to “lurk undetected” for longer periods of time, Marquez said.
As more doctors, health care facilities and insurance companies digitize their records, hackers will escalate the number of phishing and spear phishing emails to susceptible patients, because “phishing emails work and the attacks take little effort to execute,” said Amy Baker, a vice president at Wombat Security Technologies, a Pittsburgh, Pa.-based provider of security awareness training solutions.
Phony forms are emailed to the unsuspecting email recipients who reveal sensitive information when they click on a “dangerous” link or enters private data such as passwords, account identifiers or other information, she said.
Since EMV or the chip-and-pin credit card technology is becoming more commonplace and adopted throughout retailers, cybercriminals will forge ahead and will move onto lower-hanging fruit, including health care insurers, Marquez said.
“Any health care organization collecting, storing, and transmitting patient data is vulnerable—from the smallest physician practices, clinics, and labs to the largest hospitals, HMOs, PPOs and insurers,” Marquez said. “As government regulation and public scrutiny heats up in the aftermath of this year’s onslaught of breaches, failure to secure sensitive information is going to be increasingly damaging to profits and reputations, not to mention the healthcare system as a whole.”