mailing list archives
Medical Identity Theft: Does The Health Care Industry Think It's Too Big for Its Breaches?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 19 Mar 2014 19:12:56 -0600
If recent disclosures regarding the massive wave of breaches suffered by
retailing icons Target, Neiman-Marcus and Sally Beauty haven't scared you
enough, try to wrap your brain around the new Ponemon Institute Patient
Privacy and Data Security study. The study has found a 100 percent increase
in criminal attacks on health care organizations since 2010. But if that
weren't enough, they also found something far more disturbing.
"Despite concerns about employee negligence and the use of insecure mobile
devices, 88 percent of organizations permit employees and medical staff to
use their own mobile devices such as smart phones or tablets to connect to
their organization's networks or enterprise systems such as email. Similar
to last year more than half of (these) organizations are not confident that
the personally-owned mobile devices or BYOD are secure."
According to the report, very few organizations require their employees to
install anti-virus/anti-malware software on their smartphones or tablets,
scan them for viruses and malware, or scan and remove all mobile apps that
present a security threat prior to allowing them to be connected their
networks or systems.
I don't know about you, but that scares me to death. Because we live in a
time when breaches have joined death and taxes as the third certainty in
life, this is foolhardy at best.
What should concern you about these findings (and several others in the
report) is that assaults on health care systems don't simply create the
potential to have credit cards stolen or checks redirected: it's that
hackers are getting access to your health care data ("protected health
information," or "PHI" in regulatory speak), and the real world
consequences of that are far more devastating.
Medical identity theft is on the rise, just as the rise in criminal
breaches of health care providers is spiking. Medical identity theft
accounted for 43% of all identity theft reported in 2013, and the U.S.
Department of Health and Human Services estimates that somewhere between
27.8 and 67.7 million people's medical records have been breached since
2009 (and that's before the flawed rollout of the Affordable Care Act).
So what happens if a criminal gets his or her dirty little hands on your
pristine medical records?
To some extent, it depends upon how much information you have shared with
your doctor. While it goes without saying that your physician will have all
the requisite contact and insurance information for billing, he or she
might also have information that they don't necessarily need to have such
as your Social Security number, your family names and/or birthdays (which
are often passwords or challenge questions for your bank, credit card and
brokerage accounts) and even financial information that could be used to
access your bank or credit card accounts.
Your name, address, Social Security number and family information can be
used not only to access your existing financial accounts (either directly
or via social engineering), but also to open new lines of credit in your
name. This is why it's important to check your free annual credit reports,
as allowed by law. You can also monitor your credit by using a free tool
like Credit.com's Credit Report Card, which updates two of your credit
scores every month. Any unexpected change in your scores can signal
On top of these financial risks, your medical records provide a veritable
cornucopia of information that can be used in other ways. For instance,
once a criminal has your personal and insurance information, he or she can
use it or enable another to gain access to the health care system in your
name, contaminating your medical records with his or their co-mingled
information. Nothing is more dangerous than going to a hospital and having
"your" medical records, as used by an identity thief or his/her customer,
reflect an inaccurate blood type, medical history or the existence or
absence of certain allergies as you are trying to access care, particularly
in an emergency situation.
If an impostor uses your insurance to gain access to health care, it can
also affect your own ability to access care: many insurance plans have
yearly caps on certain types of care -- and no insurance company is going
to pay for "one person" to have an appendectomy twice. An identity thief
with access to your insurance could drain your coverage before you even
know it's happened -- and leave you in the lurch when you need it.
There is of course another big target here, namely your prescription
history. Prescription drug abuse was up 10 percent last year, according to
the federal government, and the value of some prescription drugs on the
street is on the rise. An identity thief could very well use their access
to your medical records to get the prescription drugs you need for your own
health and well-being -- leaving you both without your meds and with a
suspicious doctor or pharmacist wondering why you maxed out all your
refills so quickly and are coming back for more.
Massive cyberattacks resulting in the types of breaches we saw at retailers
during the past three months generate a great deal more headlines and
arguably create a greater sense of urgency today than ever before, In
reality, once credit and debit cards are replaced, for the most part, the
immediate danger has passed. Subsequent phishing attacks by email, phone
and text are more problematic but if consumers exercise care, damage can be
contained and issues resolved. However, when it involves medical identity
theft, the crime can be nearly invisible until there's an emergency and the
consequences can literally be life threatening.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus
on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
- Medical Identity Theft: Does The Health Care Industry Think It's Too Big for Its Breaches? Audrey McNeil (Mar 25)