It's only spring and already this year hackers have pulled off two massive healthcare breaches, in what appear to be sophisticated attacks. But are the Premera Blue Cross and Anthem breaches just a coincidence, or are they part of a larger trend that could affect other healthcare companies this year?
There's no denying that the healthcare sector has long been a target of hackers. Identity theft is a lucrative black market business and these companies are repositories for some of the most sought-after data by cyber-criminals. But until recently, most of these incidents were due to physical security mistakes like lost or stolen laptops - not sophisticated cyber attacks on the network. They were also more likely to happen to local or regional healthcare groups, instead of national organizations. According to Verizon's 2014 Data Breach Investigations Report, less than 1% of healthcare security incidents in 2013 were due to cyber-espionage.
But the exposure of 11 million personal records at Premera, and another roughly 80 million at Anthem, signifies a dramatic shift in the cyber threats faced by this industry. Far from an anomaly, it appears to be the start of a more sophisticated hacking campaign on healthcare companies across the U.S.
There are three key reasons why the threat environment is changing for healthcare companies: the rise of electronic health records, reduced potential for payment card fraud and the expansion of state-sponsored hacking.
Beginning this year, medical practices will be penalized 1% of Medicare reimbursements if they fail to meet federal requirements for digitizing patient medical records. The move to electronic health records (EHR) has been underway for several years now, and received its first major boost in 2009 with the federal stimulus bill, but 2015 is the first year that financial penalties kick in. As a result, we can expect to see more healthcare organizations increasing their use of EHRs, which are rife with software and storage bugs, and weak security.
At the same time, cyber-criminals are about to see their cash cow, the magnetic-stripe payment card, fade into the sunset. This October is the official deadline set by credit card companies for U.S. retailers to adopt chip-and-PIN compatible payment terminals or else assume liability for fraudulent charges. Once this happens, we should see the start of a significant long-term decline in US credit card fraud, which currently makes up 51% of the $14 billion criminals cost the global economy each year. That is going to have a significant impact on their operations, and organized crime groups will have to adapt. And it appears they're already doing so.
Researchers are now seeing a new focus by cyber-criminals on long-term identity theft fraud through stolen Social Security numbers, rather than payment card fraud. A recent report by Gemalto found that identity theft now makes up 54% of all data breaches. Social Security numbers have also become more valuable on the black market, selling for as much as 10 times the value of stolen credit cards. The permanence of Social Security numbers is what makes them such an attractive alternative to stolen credit cards - criminals can use them indefinitely for financial fraud. And one of the biggest repositories of Social Security numbers, as well as other valuable identifiers like insurance accounts, is the healthcare sector.
Additionally, governments around the world are trying to boost their cyber capabilities - and in most cases, that means increased budgets for cyber espionage. The rise of state-sponsored cyber attacks is particularly worrying for U.S. companies, since many of these attacks are done in order to steal intellectual property and research/development secrets. The most heavily targeted U.S. sectors are defense, energy, transportation, technology, finance and government. So why is this a problem for the healthcare sector? The primary method for hacking into a company is by sending phishing emails to its employees. To make the phishing emails more compelling, sophisticated hackers will use personal information in the message to get the target to open it and click on the link or download the attachment. The personal information stored by healthcare companies is a goldmine for this sort of activity, which is why we're beginning to see highly sophisticated attacks against major healthcare groups - like the Premera breach disclosed earlier this month, as well as Anthem and Community Health Systems last year.
On their own, each of these developments would pose enormous challenges to healthcare institutions, but when taken as a whole, the threat level increases exponentially. The healthcare industry already struggles with basic security challenges; it's not prepared to deal with a rise in sophisticated attacks from state-sponsored hackers and organized crime. For example, it's the worst U.S. economic sector when it comes to data breaches caused by lost or stolen devices. As much as 46% of the industry's breaches in 2013 were caused by this easily avoidable problem, according to Verizon's report. The second worst industry was government, at 19%. A 2012 study by the Ponemon Institute also found that 94% of polled healthcare institutions admitted patient records had been exposed by data breaches.
While last year was most notable for the string of high-profile retail breaches, 2015 is poised to become the year of the healthcare hack. Unless healthcare executives begin making significant changes now to their security setups, we could see many more breaches hit this industry.