|
 Anthem Inc, the No. 2 U.S. health insurer, last week disclosed a
massive breach of its database containing nearly 80 million records,
prompting investigations by state and federal authorities. That hack
followed a breach last year at hospital operator Community Health
Systems, which compromised some 4.5 million records.
"People feel that this will be the year of medical industry
breaches," said Dave Kennedy, chief executive of TrustedSEC LLC.
In the past decade, cybercriminals focused their efforts on
attacking banks and retailers to steal financial data including
online banking credentials and payment card numbers. But as those
companies boost security, using stolen credit card numbers has
become more difficult.
Their prices on criminal exchanges have also dropped, prompting
hackers to turn to the less-secure medical sector, just as the
amount of digital healthcare data is growing dramatically, Kennedy
said.
Stolen healthcare data can be used to fraudulently obtain medical
services and prescriptions as well as to commit identity theft and
other financial crimes, according to security experts. Criminals can
also use stolen data to build more convincing profiles of users,
boosting the success of scams.
"All of these factors are making healthcare information more
attractive to criminals," said Rob Sadowski, marketing director at
RSA, the security division of EMC Corp.
MONETIZING STOLEN DATA
RSA Executive Chairman Art Coviello recently wrote in a letter to
customers that he expected well-organized cybercriminals to turn
their attention to stealing personal information from healthcare
providers.
"A name, address, social and a medical identity ... That's
incredibly easy to monetize fairly quickly," said Bob Gregg, CEO of
ID Experts, which sells identity protection software and services.
Identities can sell for $20 apiece, or more, he said.
Insurers, medical equipment makers and other companies say they have
been preparing for breaches after seeing the waves of attacks on
other industries.
Cigna Corp has looked to financial and defense companies for best
practices, including hiring hackers to break into its systems, said
Chief Executive David Cordani. Attempts to break into corporate
systems to probe for information are a constant, he said in an
interview.
St Jude Medical Inc CEO Daniel Starks said the company increased
investment in cybersecurity significantly over the last few years,
to protect both patient data and the medical devices it
manufactures.
[to top of second column] |
"You may see from time to time law enforcement briefings on
nation-based (intellectual property) issues, espionage," he said.
"Those are things that we take very seriously and have been briefed
on and that we work to guard against."
The FBI is investigating the Anthem breach alongside security
experts from FireEye Inc.
The insurers UnitedHealth Group Inc and Aetna Inc have warned
investors about the risks of cyber crime in their annual reports
since 2011.
UnitedHealth has said the costs to eliminate or address the threats
could be significant and that remediation may not be successful,
resulting in lost customers.
In response to the Anthem attack, UnitedHealth spokesman Tyler Mason
said in an emailed statement: "We are in close contact with our
peers in ... the industry cybersecurity organization, and are
monitoring our systems and the situation closely."
Aetna has cited the automated attempts to gain access to
public-facing networks, denial of service attacks that seek to
disrupt websites, attempted virus infections, phishing and efforts
to infect websites with malicious content.
Aetna spokeswoman Cynthia Michener said in a statement: "We closely
follow the technical details of every breach that's reported to look
for opportunities to continually improve our own IT security program
and the health sector's information protection practices broadly."
(Additional reporting by Bill Berkrot in New York; editing by
Michele Gershberg and G Crosse)
[© 2015 Thomson Reuters. All rights
reserved.] Copyright 2015 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
