The health industry is not immune to cyberattacks
By: Shirley Li, The Atlantic
Hackers often carry out massive cyberattacks to gain access to financial data through banks and retail companies, but this week's cybercrime hit a seemingly new target: medical data, taken from the health insurance company Premera Blue Cross. The attack affected 11 million patients, making it the largest cyberattack involving medical information to date.
The healthcare industry has been catching hackers' attention lately. In February, the health insurance company Anthem reported a breach in which hackers accessed to about 80 million records, and in 2014, the Tennessee-based hospital operator Community Health Systems saw 4.5 million records accessed, though both companies said no medical data was exposed. Even so, as Pat Calhoun, the senior vice president of network security at Intel Security, puts it, the healthcare industry is just beginning to find itself in cyber-criminals' crosshairs, making it slow to shield people's records.
"The healthcare industry is not immune to attacks," he told me. "It's really a wake up call for manufacturers and healthcare providers to understand how to minimize the impact on security challenges."
Calhoun points out that healthcare breaches aren't unheard of: In fact, according to Intel Security and the Atlantic Council's latest report on cyber risks, about 44 percent of all registered data breaches in 2013 targeted medical companies, with the number of breaches increasing 60 percent between 2013 and 2014. Those numbers may seem larger than expected—how often do healthcare breaches make the news?—but Calhoun tells me that these reported medical-company breaches happen on smaller scales, affecting far fewer people than attacks on banks and government data.
Still, hospitals and insurance companies aren't necessarily more vulnerable than banks and government entities. Miten Marfatia, the CEO of the IT solutions provider EvolveWare, tells me that no matter what industry, vulnerability depends on the type of systems they have. "The older the system, the more vulnerable it is to cyberattacks," he says. The fix to this seems obvious—update software regularly to prevent breaches—but not enough healthcare companies understand the issue.
"Advanced cybersecurity defenses are still a relatively new idea to many healthcare organizations," said Greg Kazmierczak, the CTO of data-security company Wave Systems Corporation. "Big banks and large financial firms, on the other hand, have been dealing with these issues internally and in the public eye for the past decade or so with the large-scale breaches of JP Morgan and Bank of America."
In other words, as more attacks happen, more victims will beef up their cybersecurity. So, with the Premera breach, it's the healthcare industry's turn to rethink data security.
Medical data is also becoming a highly lucrative target. "Financial data has always been a priority, because it's low-hanging fruit," Calhoun says. "But over the past couple of years, we've identified that medical information has a higher value on the black market than credit card information."
This, he says, has more to do with what a person whose data has been accessed can do. When it comes to financial data or stolen credit cards, for example, people can take steps to cancel their cards and prevent identity theft. With medical data, no such contingency plan exists, as companies continue to figure out how to respond both quickly and efficiently to cyberattacks.
For now, both Anthem and Premera have consulted the cybersecurity company FireEye Inc. to investigate their vulnerabilities. Laura Galante, FireEye's threat intelligence manager, told me that as more of these breaches occur, healthcare insurers have gained, as she puts it, "a new appreciation for advanced threats intent on compromising their networks."
Yet it's not just about fortifying security against potential hackers, she says. Replacing or updating security systems is important, but when these data breaches occur, they test patients' trust in the healthcare industry. This means that hospitals and health insurance companies need to better communicate to their patients and customers about how their medical data is protected in the first place.
"Historically, companies have to be adept to buying the latest technology," Galante said. "But this problem goes beyond that."