|
 Last month, the FBI warned healthcare providers to guard against
cyber attacks after one of the largest U.S. hospital operators,
Community Health Systems Inc, said Chinese hackers had broken into
its computer network and stolen the personal information of 4.5
million patients.
Security experts say cyber criminals are increasingly targeting the
$3 trillion U.S. healthcare industry, which has many companies still
reliant on aging computer systems that do not use the latest
security features.
"As attackers discover new methods to make money, the healthcare
industry is becoming a much riper target because of the ability to
sell large batches of personal data for profit," said Dave Kennedy,
an expert on healthcare security and CEO of TrustedSEC LLC.
"Hospitals have low security, so it's relatively easy for these
hackers to get a large amount of personal data for medical fraud."
Interviews with nearly a dozen healthcare executives, cybersecurity
investigators and fraud experts provide a detailed account of the
underground market for stolen patient data.
The data for sale includes names, birth dates, policy numbers,
diagnosis codes and billing information. Fraudsters use this data to
create fake IDs to buy medical equipment or drugs that can be
resold, or they combine a patient number with a false provider
number and file made-up claims with insurers, according to experts
who have investigated cyber attacks on healthcare organizations.
Medical identity theft is often not immediately identified by a
patient or their provider, giving criminals years to milk such
credentials. That makes medical data more valuable than credit
cards, which tend to be quickly canceled by banks once fraud is
detected.
Stolen health credentials can go for $10 each, about 10 or 20 times
the value of a U.S. credit card number, according to Don Jackson,
director of threat intelligence at PhishLabs, a cyber crime
protection company. He obtained the data by monitoring underground
exchanges where hackers sell the information.
ATTACKS ON THE RISE
The percentage of healthcare organizations that have reported a
criminal cyber attack has risen to 40 percent in 2013 from 20
percent in 2009, according to an annual survey by the Ponemon
Institute think tank on data protection policy.
Founder Larry Ponemon, who is privy to details of attacks on
healthcare firms that have not been made public, said he has seen an
increase this year in both the number of cyber attacks and number of
records stolen in those breaches.
Fueling that increase is a shift to electronic medical records by a
majority of U.S. healthcare providers.
Marc Probst, chief information officer of Intermountain Healthcare
in Salt Lake City, said his hospital system fends off thousands of
attempts to penetrate its network each week. So far it is not aware
of a successful attack.
"The only reason to buy that data is so they can fraudulently bill,"
Probst said.
[to top of second column] |
Healthcare providers and insurers must publicly disclose data
breaches affecting more than 500 people, but there are no laws
requiring criminal prosecution. As a result, the total cost of cyber
attacks on the healthcare system is difficult to pin down. Insurance
industry experts say they are one of many expenses ultimately passed
onto Americans as part of rising health insurance premiums.
Consumers sometimes discover their credentials have been stolen only
after fraudsters use their personal medical ID to impersonate them
and obtain health services. When the unpaid bills are sent on to
debt collectors, they track down the fraud victims and seek payment.
Ponemon cited a case last year in which one patient learned that his
records at a major hospital chain were compromised after he started
receiving bills related to a heart procedure he had not undergone.
The man's credentials were also used to buy a mobility scooter and
several pieces of medical equipment, racking up tens of thousands of
dollars in total fraud.
MEDICARE FRAUD
The government's efforts to combat Medicare fraud have focused on
traditional types of scams that involve provider billing and over
billing. Fraud involving the Medicare program for seniors and the
disabled totaled more than $6 billion in the last two years,
according to a database maintained by Medical Identity Fraud
Alliance.
"Healthcare providers and hospitals are just some of the easiest
networks to break into," said Jeff Horne, vice president at
cybersecurity firm Accuvant, which is majority-owned by private
equity firm Blackstone Group.
"When I've looked at hospitals, and when I've talked to other people
inside of a breach, they are using very old legacy systems - Windows
systems that are 10 plus years old that have not seen a patch."
KPMG partner Michael Ebert said security has been an afterthought
for many medical providers - whether it is building encryption into
software used to create electronic patient records or in setting
budgets.
"Are you going to put money into a brand new MRI machine or laser
surgery or are you going to put money into a new firewall?" he said.
(Additional reporting by Susan Kelly in Chicago; Editing by Michele
Gershberg and Tiffany Wu)
[© 2014 Thomson Reuters. All rights
reserved.] Copyright
2014 Reuters. All rights reserved. This material may not be
published, broadcast, rewritten or redistributed. |
