Written by Dave Stelzl CISSP

Speaking to Healthcare Professionals – Security is More Important than Compliance!

IMG_2593

Healthcare Records Can Be More Valuable to Hackers Than Your Credit Card Number…

On the day JP Morgan announced the theft of 79 Million account records, I will be presenting a keynote on healthcare security at the annual 3T Systems Healthcare Summit, in Avon Colorado.

My heading – “Healthcare Records Can Be More Valuable Than Your Credit Card,” comes from a Sept 2014 article from Reuters. While the full details on one’s financial account information is worth quite a bit, card numbers and names have become a commodity.  That doesn’t mean hackers don’t want them. They do.  When a hacker steals 56 Million from a POS system, there’s money to be made.

But Healthcare records, containing names, birth dates, social security numbers, and medical history are worth about $10 per record. So when Community Health Services announced a 4.5 Million record breach earlier this year, you can believe the hackers are doing pretty well.  And there’s no federal tax to be paid on the resale of this information.

Other important sound bites:

  • Medicare fraud over the past year is up to $6 Billion. Who is going to pay for that? You and I will.
  • 40% of healthcare companies have reported a breach over the past two years according to a resent threat report.
  • 90% of healthcare cloud services are hosted by companies with a medium or high risk rating….
  • The FBI tells us medical security is weak and it may take years before a victim catches on.

What Will Hackers Do With All This Data?

They’ll resell it of course. There is the threat of someone misusing this information on purpose for extortion purposes. And there’s that risk that data could leak out, exposing someone in a way that would harm their reputation. But the real threat is fraud. When Community Health Services was hacked, China was blamed. Why would the Chinese want this data?

Healthcare data is primarily used in two ways. The buyer will use it to buy expensive medical equipment that can then be resold – such as expensive motor scooters. The other scam is to file fraudulent medical claims. When this happens the victim will likely start getting medical bills that aren’t theirs.  Trying to fight this won’t be easy if you’ve ever had to deal with bill collectors.

All of these costs will eventually be passed onto us as consumers and tax payers.

The Key Problem

The problem is HIPAA.  I don’t mean that the HIPAA laws create a weakness. What I do mean is that they have pulled everyone’s attention toward compliance laws requiring a lot of effort to keep up with – but don’t necessarily lead to security. Take the assessment requirement for instance.  Doing automated pen tests is something every company should do, but in my opinion it’s hardly an ethical hacking test.  All it does is expose major weaknesses in the systems that are scanned.  It does nothing to combat the social engineering tactics that hackers will actually use.

Thanks to 3T Systems for hosting this informative event, along with their partners including Check Point and Citrix.

© 2014, David Stelzl

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s