2015 Could Be the Year of the Hospital Hack
Health-care organizations often store medical records and other information insecurely.
Medical information is especially useful for criminals planning identify theft or banking fraud.
Along with vast troves of credit card information and celebrity snapshots, hackers stole a record number of medical records from U.S. health-care facilities this year. In 2015, attacks targeting health data will become even more common, according to security researchers.
Carl Leonard, principal security analyst for Websense, says hackers are breaking into the computer networks of health-care facilities with increasing frequency and taking valuable personal information that is often secured improperly. In August, Websense researchers reported that over the previous 10 months they had observed a 600 percent increase in attacks on hospitals (See “Hackers Are Homing In on Hospitals”). Leonard’s group now predicts that in 2015 the health-care industry will see a “substantial increase” in thefts of data.
The cause of the uptick isn’t hard to diagnose. Medical organizations across the world are switching to electronic medical records, and computer security is not always a high enough priority during the process, says Leonard. Besides that, he says, easy and fast access to medical information often trumps security.
Various studies suggest that cyber-thieves have identified health data as a soft target. The Ponemon Institute, a U.S. privacy think tank, found that 40 percent of health-care organizations surveyed in 2014 reported being attacked by malware designed to steal data, up from 20 percent in 2010. The Privacy Rights Clearinghouse, which tracks large computer security breaches, reports that nearly four million more records were stolen this year than in any previous year.
Credit card information is less valuable on the black market than it was several years ago, says Don Jackson, director of threat intelligence at the security firm PhishLabs. That market is flooded, and credit card information is becoming less useful without supporting identification information, he says.
Medical records, however, often contain both identification information, such as Social Security numbers, and financial information. This can be enough to build a near-complete picture of an individual. And such information can command hundreds of dollars from black-market customers wanting to impersonate someone for the purpose of accessing bank accounts or drug prescriptions.
Hackers now have “almost a big-data mentality,” Jackson says, in that they routinely deal with huge amounts of information and can draw correlations between disparate sets of stolen data to piece together whole identities.
New devices, including smartphones, tablets, and various medical devices, are being connected to health-care facilities networks at an increasing rate. This could introduce new vulnerabilities, says Leonard.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today