February 11, 2015
NEW YORK/BOSTON (Reuters) - Security experts are warning healthcare and insurance companies that 2015 will be the "Year of the Healthcare Hack," as cybercriminals are increasingly attracted to troves of personal information held by U.S. insurers and hospitals that command high prices on the underground market.
Anthem Inc, the No. 2 U.S. health insurer, last week disclosed a massive breach of its database containing nearly 80 million records, prompting investigations by state and federal authorities. That hack followed a breach last year at hospital operator Community Health Systems, which compromised some 4.5 million records.
"People feel that this will be the year of medical industry breaches," said Dave Kennedy, chief executive of TrustedSEC LLC.
In the past decade, cybercriminals focused their efforts on attacking banks and retailers to steal financial data including online banking credentials and payment card numbers. But as those companies boost security, using stolen credit card numbers has become more difficult.
Their prices on criminal exchanges have also dropped, prompting hackers to turn to the less-secure medical sector, just as the amount of digital healthcare data is growing dramatically, Kennedy said.
Stolen healthcare data can be used to fraudulently obtain medical services and prescriptions as well as to commit identity theft and other financial crimes, according to security experts. Criminals can also use stolen data to build more convincing profiles of users, boosting the success of scams.
"All of these factors are making healthcare information more attractive to criminals," said Rob Sadowski, marketing director at RSA, the security division of EMC Corp.
MONETIZING STOLEN DATA
RSA Executive Chairman Art Coviello recently wrote in a letter to customers that he expected well-organized cybercriminals to turn their attention to stealing personal information from healthcare providers.
"A name, address, social and a medical identity ... That's incredibly easy to monetize fairly quickly," said Bob Gregg, CEO of ID Experts, which sells identity protection software and services. Identities can sell for $20 apiece, or more, he said.
Insurers, medical equipment makers and other companies say they have been preparing for breaches after seeing the waves of attacks on other industries.
Cigna Corp has looked to financial and defense companies for best practices, including hiring hackers to break into its systems, said Chief Executive David Cordani. Attempts to break into corporate systems to probe for information are a constant, he said in an interview.
St Jude Medical Inc CEO Daniel Starks said the company increased investment in cybersecurity significantly over the last few years, to protect both patient data and the medical devices it manufactures.
"You may see from time to time law enforcement briefings on nation-based (intellectual property) issues, espionage," he said. "Those are things that we take very seriously and have been briefed on and that we work to guard against."
The FBI is investigating the Anthem breach alongside security experts from FireEye Inc.
The insurers UnitedHealth Group Inc and Aetna Inc have warned investors about the risks of cyber crime in their annual reports since 2011.
UnitedHealth has said the costs to eliminate or address the threats could be significant and that remediation may not be successful, resulting in lost customers.
In response to the Anthem attack, UnitedHealth spokesman Tyler Mason said in an emailed statement: "We are in close contact with our peers in ... the industry cybersecurity organization, and are monitoring our systems and the situation closely."
Aetna has cited the automated attempts to gain access to public-facing networks, denial of service attacks that seek to disrupt websites, attempted virus infections, phishing and efforts to infect websites with malicious content.
Aetna spokeswoman Cynthia Michener said in a statement: "We closely follow the technical details of every breach that's reported to look for opportunities to continually improve our own IT security program and the health sector's information protection practices broadly."