Despite reports of efforts to blackmail patients and the possibility of hacking pacemakers, healthcare data breaches in the end are similar to other cyber crimes, according to a new report from Verizon. In an examination of approximately 60 confirmed data breaches over the past two years, the report concludes that those who attack healthcare systems primarily look for information from which they can make a profit.
"POS [point-of-sale] systems and desktops were at the forefront of breaches in the healthcare sector," according to the report's authors. "At first glance, this may seem counterintuitive, since electronic health records would almost certainly be stored in a file or database server, and surely this is what the criminals are after. But this likely represents an incorrect assumption; most cybercriminals are more interested in accessing your bank account and applying for loans in your name than they are the details of your last medical exam."
Beyond targeting the payment chain, thieves may steal hardware--think laptops--that they can sell quickly for the payout rather than for the information it contains.
Among the breaches studied, most of the incidents occurred at small-to-medium sized businesses (one to 100 employees), most of which were medical and dental offices--low-risk targets for financially motivated organized criminal groups. Inside jobs were much less common, but the threat cannot be ignored, the report warns.
"When employees do go rogue, their ready access to and knowledge of information assets means they can do quite a bit of damage without expending a lot of effort," the report says.
Criminals scouring the Internet for low-risk targets was the most common data breach scenario, followed by hacking into systems--most often with default or easily identifiable credentials--and planting malware to quickly extract data.
A breach that fits that pattern occurred in March when Eastern European hackers gained access to healthcare information for nearly 780,000 Medicaid patients in Utah, including Social Security numbers for 280,000 beneficiaries.
Reports that hospital medical devices often are riddled with malware only raises more alarms.
Lack of expertise in managing their POS systems has been a big problem for smaller practices, which instead often rely on a third-party service provider for security. The report urges practices to ensure that their POS system is Payment Card Industry Data Security Standard compliant, and to have security assurances written into the contract with their vendor.
Among the report's other suggestions:
- Change administrative passwords on all POS systems.
- Implement a firewall or access control list on remote access/administration services.
- Encrypt user devices and media that contain medical and personal records.
To learn more:
- read the report