mailing list archives
Why Hackers Are Targeting Health Data
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 8 Jul 2014 19:32:05 -0600
Two years ago, a Utah Department of Health server was breached, allegedly
by Eastern European hackers, and 780,000 individuals were impacted.
Last month, the Montana health department confirmed a server breach
impacting up to 1.3 million individuals.
And now the State of Vermont confirms that a development server of the
Vermont Health Connect, the state's health insurance exchange under the
Affordable Care Act, experienced a cyberattack last December, in which
hackers allegedly accessed data 15 times. The attack, which was tracked to
a Romanian IP address, went undetected for about a month.
In this latest case, because the server was only a development system that
did not contain any production data, there was no breach, Lawrence Miller,
Vermont's chief of healthcare reform, tells Information Security Media
Still, the incident was a wake-up call to Vermont, and technology services
firm CGI Group, which developed the state's exchange and hosts it. "We're
constantly evaluating and improving security," Miller says. "I can't speak
for the hackers' motives, but anytime hackers attack it's usually because
they're looking for something of value, or are doing it for the sport of
seeing what they can do."
Combined, these incidents represent a trend that has caught the attention
of healthcare security leaders nationwide. External attacks are on the
rise, and healthcare organizations need to be prepared to defend against
more than the more common threats they see - i.e. lost laptops and
unauthorized access to records. They need to defend against sophisticated
cybercriminals who seek critical medical data to commit fraud or turn a
In the past, "hackers were MIT freshman who attacked the Harvard network
for fun," says John Halamka, CIO at Beth Israel Deaconess Medical Center in
Boston. "Today it's a totally different kind of attack - highly
sophisticated, organized criminals attempting to get medical Identities."
While a stolen Social Security number might sell for 25 cents in the
underground market, and a credit card number might fetch $1, "A
comprehensive medical record for me to get free surgery might be $1,000,"
Halamka says. "It is a commodity that is hot on the black Internet
Tracking the Hacks
The healthcare sector, as well as government sector systems handling
health-related data, are increasingly targets of cybercriminals because of
the information those systems contain, which ranges from Social Security
numbers to health insurance identification numbers.
The FBI estimates that $80 billion of the $2.2 trillion a year spent on
healthcare in the United States is associated with fraud, with half of that
fraud tied to medical ID theft, says Bill Barr, a development director at
the Medical ID Fraud Alliance.
The number of known medical and healthcare-related breaches is steadily
increasing year over year, according to research by the Identity Theft
Resource Center, which monitors breaches reported by state attorneys
general and other credible sources.
Healthcare-related hacking incidents in 2013 grew to 28 incidents affecting
nearly 1.1 million records; up from 23 incident affecting 879,179 records
in 2012, ITRC found. Those numbers are also up from 2011, when ITRC
identified only eight healthcare hacking breaches affecting about 400,000
According to the 2014 Healthcare Information Security Today survey of about
200 respondents from healthcare organizations, 11 percent reported having a
hacker-related breach in 2013.
"The facts are that Web attacks against information systems in the
healthcare sector are increasing at an alarming rate," says David Holtzman,
vice president of compliance at security consulting firm CynergisTek.
Equally alarming, Holtzman says, is that healthcare organizations have not
ramped up security to respond to these increased threats.
"The reality is that the healthcare sector as a whole has devoted
inadequate resources to safeguarding information systems," he says. "More
than half of all healthcare organizations spend less than 3 percent of
their IT budget to protect data, and almost half do not have a full-time
CISO or information security manager."
The appeal of health data to cybercriminals also presents increasing risk
to segments of the government sector - like public health department
systems that contain health-related data.
"Government computers are a particularly interesting target for two main
reasons," says Rob Barnes, director of public sector at security consulting
firm Coalfire. "First, they are generally more vulnerable, as they are
older systems running older, less secure software. Second, they are rich in
data like Social Security numbers, personally identifiable information,
healthcare, financial information and data that can be used for identity
Steps to Take
How do healthcare organizations prepare to defend against this new and
growing threat? Experts and practitioners recommend critical steps to
improve defense and detection of external attacks.
"Deterrence, prevention, detection and response all have their place," says
security expert Brian Evans, senior managing consultant with IBM Security
Prevention is preferable to detection and reaction. But without data
collection, an organization cannot successfully detect or react to
anything, Evans says. "Alarms, audit and investigation all require
underlying information to detect bad actors and to determine the
effectiveness of controls," he says.
Alerts or alarms should be designed to detect event sequences with
potentially negative consequences. Statistical and anomaly-detection
methods are particularly good for these purposes, as are rule-based
detection mechanisms, Evans says.
But alerts must be set only for "actionable items" that IT or security
teams can follow up on. Too many alerts can have a counter-effect on
detection of breaches and intrusion. For instance, if the "noise level" is
too high, alerts indicating possible breaches can be overlooked among
alerts for non-actionable events.
Security information and event management or log management tools can
augment data collection efforts. "In order to be effective, audit logs
should be at an appropriate level of detail to the loss thresholds being
detected," Evans says.
In addition to deploying technology tools to help defend against and detect
intrusions, Evans says it's important to formally define roles and
responsibilities for incident response. "I still come across informal and
untrained teams," he says. Organizations need to document procedures that
specify what the response team should do if there's an incident and test
those procedures periodically, he notes.
From the practitioner's perspective, Halamka of Beth Israel Deaconess
recommends responding to healthcare breaches as one would to financial
fraud attacks: with a multilayered approach to defense.
"It's not just one technology, it's multiple technologies in order to repel
these highly sophisticated and organized attacks." That includes deploying
SIEM, as well as multifactor authentication to enter critical systems.
"The Internet is increasingly a swamp," Halamka says. "It's no longer
sufficient to just look at standard security logs. You need integrated
security information event management that brings together network logs,
users logs, application logs and server logs, and looks for non-obvious
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus
on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
- Why Hackers Are Targeting Health Data Audrey McNeil (Jul 15)