Health files make for a juicy target for thieves
By now, many of us have burned a few precious seconds at the checkout line waiting for a fancy new chip-and-pin card to confirm your purchase of groceries. A small price to pay, we’re assured, for much better protection from data theft.
A downside to that additional security: The hackers have moved on.
Today, according to cybersecurity specialists, criminals hoping to scoop up valuable personal data are increasingly targeting health care companies — from local doctor’s offices to major health insurers.
More than 100 million health care records were compromised in 2015 alone. Federal records show that almost all of those losses came from just three attacks on health insurance providers: Anthem Inc., Premera Blue Cross, and Excellus Health Plan Inc.
At the same time, data breaches in the retail industry are plummeting. Last year marked a four-year low for reported breaches of records of retailers, with just 5.7 million compromised, according to research from IBM Security.
For consumers, cybercriminals’ shift toward health care records can have alarming consequences. Losing a credit card number can be resolved relatively quickly once fraud is noticed, and banks have tested systems for refunding money and shutting down bogus accounts.
But there’s little of that in the health care system, which collects enough personal data — Social Security numbers, addresses, phone numbers, next of kin — to attract sophisticated data thieves.
“If someone steals your medical records, there’s no one you can call,” said Caleb Barlow, a vice president for IBM Security in Cambridge. “Are you going to call 911 and say, ‘Hey, somebody stole my medical records?’ That’s going to be an interesting conversation.”
The surge in health care attacks has gotten the attention of industry leaders, particularly after the spike in compromised data recorded last year.
The threat of government fines for violating privacy laws and costly damage to a health care organization’s reputation means that boards of directors now sweat the details of cybersecurity strategy, said John Halamka, chief information officer at Boston’s Beth Israel Deaconess Medical Center.
“In the past, it was common for small health care organizations to ask the network or telecom leader to take on information security part time,” Halamka said. “Today, many organizations either outsource information security to an expert firm or have a dedicated internal staff.”
That doesn’t always mean that more money is being thrown at the problem. More than half of health care organizations surveyed by the Ponemon Institute said they spend 20 percent or less of their security and privacy budgets on responding to data breaches. About 60 percent said that ratio hasn’t changed in the past two years.
“The majority of health care organizations still don’t have sufficient security budget to curtail or minimize data breach incidents,” Ponemon said in its May 2016 report.
Several factors have made health care organizations ripe for attacks: The industry is generally more fragmented than banking or retail, with the personal data of customers being passed among a wide array of contractors, service providers, and satellite offices, Barlow said.
And since they’re a relatively new target for big-time attacks, health care companies have lots of ground to make up when it comes to building up defenses.
“You’re at the mercy of the weakest link in the chain,” Barlow said.
But the real reason is money. Strong fraud-detection systems mean that bank-card numbers have a much shorter shelf life once they’re stolen, which has driven down their price on the black market. In some cases, IBM researchers said, thieves are giving away credit card numbers as a way of beefing up their credibility with other hackers.
Medical records are worth much more, with the FBI reporting that even partial electronic health records can fetch $50 each on the black market.
“Health care institutions store millions of Social Security numbers,” Halamka said. “Organized crime, in a Willie Sutton fashion, said, ‘I’ll attack where the money is.’ ”
Cybersecurity experts expect health care to remain a target for data thieves, and federal figures show the pace has not slowed. The Department of Health and Human Services, which collects information on data breaches affecting 500 or more people at a time, reported 146 cases in the first six months of 2016 — about the same as reported in the first half of 2015.
One bit of good news: The number of records compromised so far this year, covering 4.5 million people, is down significantly from 2015, when the health insurers had those huge data breaches.
The problem is, it may take years for those stolen records to resurface. For example, Barlow, the IBM Security executive, learned several months ago that the medical records of his two grade-school-age children were compromised in a health care data breach.
Those identities are essentially worthless for a criminal seeking quick payoff — nobody’s going to give a loan to a preteen. But once those kids reach their 18th birthdays, Barlow worries, the leak could come back to haunt their finances.
“How long is it going to be before that 18-year-old realizes that somebody at another address has established credit in their name?” he said.
“It’s going to be when that person defaults, or more likely when they go to establish credit on their own. But now this thing’s been out there for years. Now you’ve got to go through the process of proving this wasn’t you.”