[BreachExchange] Overwhelming Cyber Attacks On Healthcare

[Audrey McNeil]

https://www.cybersecurityintelligence.com/blog/overwhelming-cyber-
attacks-on-healthcare-1777.html

In 1996 the US Health Insurance Portability and Accountability Act (HIPAA)
was enacted. The Accountability portion of the law requires that healthcare
providers protect the privacy of patient health information and includes
security measures that must be followed. Provider success has been mixed
and has recently come under intense scrutiny due to the number and size of
reportable breaches of health information.

There are several major contributors to this increase. The first is the
passage of the American Recovery and Reinvestment Act of 2009. The ARRA
included the formation of the Health Information Technology for Economic
and Clinical Health Act (HITECH). It also made permanent the Office of the
National Coordinator for Healthcare Information Technology (ONC) to set
policy and standards and establish procedures to guide and measure the
success of the implementation of electronic health records.

Creating EHR systems requires storing a large amount of confidential
patient information in multiple information systems and allowing thousands
of users and other systems to access those databases.

Adding to the difficulty of securing this data is the increasing number of
criminal attacks and HIPAA violations because of the rising value of health
information. For many criminals, credit cards had been the target of
choice. However, the value of a credit card is brief, as all transactions
can be stopped immediately after the bank is aware of suspicious activity.

By contrast, the value of a medical record can be worth 30 times the value
of a credit card on the black market. The reason is that the health records
contain enough information to create a complete identify for the purpose of
opening accounts, obtaining loans, creating passports and stealing
healthcare services. The most valuable records include expired patients
where identify theft may not be discovered for years.

In 2016, the Ponemon Institute reported that during the last two years, 89
percent of all hospitals reported to the Office of Civil Rights at least
one data breach, and 79 percent reported two or more. Many in the industry
believe that almost every hospital has experienced multiple breaches.

In the battle to protect health information, many providers are simply
outmanned and outgunned by the sophistication and resources of hackers.
Some healthcare organisations experience thousands of attacks daily, some
of which are likely to succeed in penetrating the perimeter defenses. Once
inside, hackers have increased opportunity to steal user credentials that
will move them up the security ladder and into the data systems that
contain the most valuable information

After enough credentials are collected, it is simply a matter of slowly
withdrawing information without triggering alerts. Ponemon reported in 2016
that it takes an average of 226 days to discover a breach and 69 more days
to determine how it occurred and to stop the flow. It is safe to assume
that after nearly ten months of access, there is little information left
for the hacker to steal.

In addition to criminal hackers, hospitals must also contend with staff
members using their credentials in an unauthorised manner. There are many
reported instances of staff accessing records of co-workers, family or
neighbors. The most publicized violations are stealing and selling
celebrity health records to the media.

When a staff member is offered thousands of dollars for a single record,
they may believe it’s worth the risk of being caught.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161019/4f2a9a36/attachment.html>