[BreachExchange] Hackers in no rush to cash in on stolen data

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 3 17:54:15 EDT 2016


http://www.healthdatamanagement.com/news/hackers-in-no-rush-to-cash-in-
on-hacked-data

As cyber attacks continue to target healthcare organizations, hackers are
changing tactics, becoming more patient and sitting on stolen data until
the perfunctory credit monitoring services offered to patients expires.

They can afford to do so, says Pam Hepp, a healthcare attorney at the
Buchanan, Ingersoll & Rooney law firm in Pittsburgh. Sometimes, a hacker
may dip into some of the acquired data to monetize it, but increasingly
they’re holding most of it until monitoring activity ends.

Hackers can be patient because they know that physicians and staff members
still need access to data and are still likely to fall victim to phishing
scams, Hepp adds. Further, while security oversight of internal and vendor
processes are improving, much of the processes still rest on a business
associate agreement, which often hasn’t provided much protection.

Once medical data is taken, it is difficult for consumers to know what has
been taken until they are notified, or they have a physician appointment
and find out that their blood type and diagnoses have been changed because
a hacker stole their identity.

That hacker, Hepp says, is using the data to generate false claims for
durable medical equipment, hospice or home health services not being
delivered. “Stealing data means you don’t have to find patients; you just
make up new patients,” she says.

Unfortunately, while security technology continues to evolve, hackers will
continue to have the upper hand and almost always will be a step ahead,
Hepp notes. “Even if you are doing robust risk assessments, between that
and human error, breaches will happen.”

When there is a beach, a risk analysis should be conducted, not just to
learn what types of data were compromised, but who had access and what data
was seen, followed with an ongoing review of vulnerabilities to ensure the
same type of breach does not happen again, she counsels.

Large healthcare organizations have the resources to conduct a
comprehensive risk analysis on an annual basis, and federal regulators
expect that, Hepp advises. Smaller organizations, if possible, should
annually assess risk vulunerabilities; those without the resources should
at least do it every two years.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161003/2b109541/attachment.html>


More information about the BreachExchange mailing list