HIPAA Regulatory Alert: Computer hackers step up attacks on health care records
HIPAA Regulatory Alert
Computer hackers step up attacks on health care records
Why is health care information attractive to hackers?
An 85% increase in the number of Internet hacker attacks on its health care clients has been reported by SecureWorks, a security-as-a-service provider. The company says attempted attacks have increased from an average of 11,146 per client per day in the first half of 2007 to an average of 20,630 per client per day in the last half of 2007 through January 2008.
SecureWorks Counter Threat Unit security researcher Don Jackson tells HIPAA Regulatory Alert criminals are looking for additional places from which identifying material can be obtained and have turned to health care companies. "We've seen attacks level out at the normal targets such as banks and financial services companies," he says. "People are asking where else they can find information and are turning to job sites and health care providers. They're turning over another rock."
Jackson says the increase in hacker attacks is likely due to several factors. First, there is an increase in client-side attacks (attacks against employees' PCs). Another factor is that health care organizations have large attack surfaces that hackers can try to break into. Third is the volume of personal, identifiable information and health insurance credentials that are stored by health care organizations; the final reason is the valuable computing resources that are available to health care organizations.
Jackson says hackers often "go after the low-hanging fruit" health care facilities can be easy targets because they often have open networks able to conduct many different functions such as billing, transfer of patient records, and communication with different physician networks. "Health care facilities have to be able to speak many different protocols," he says, "and so there's a lot more doors to guard to be sure controls are in place. If you don't evaluate properly, you may have the wrong controls in place."
Because health care organizations store a lot of valuable personal identifiable information such as Social Security numbers, names, addresses, age, and banking and credit card information, they are valuable targets, Jackson says. Information scammers can develop complete profiles on victims, making them ripe for identity theft. He says the increase in the number of attacks on health care systems correlates to an increase in the price being paid for data that are fraudulently obtained.
Growing market for fraudulent cards
Health care information is particularly sought after, he says, because the criminals can defraud health care providers if they are able to obtain insurance contract and group numbers. There is a growing market, he says, for counterfeit health insurance cards that is being fueled by the increase in health care costs.
Jackson says some criminals involved in bringing illegal immigrants into the United States supply them with complete identity packages that include health insurance cards.
Health care organizations usually have high-bandwidth networks with lots of PCs connected and operations that run every hour of every day. That level of computing resources makes health care organizations a very attractive hacker target because they not only have lots of PCs that can be harvested for valuable data, but the computers can be turned into spam bots that collect e-mail addresses from the Internet to build mailing lists. Also, the health care networks' high bandwidth and server computing power make them a prime target, giving hackers lots of resources in which to run large phishing campaigns (attempts to acquire sensitive information), spam operations, etc.
Solid security plans needed
Jackson says implementing a solid information security and risk management program is a good step toward protecting a health care organization from hacker threats. "HIPAA compliance offers a good baseline," he says. "IT governance frameworks... provide broader guidance. These programs' ultimate product is a defense-in-depth system that matches the healthcare organization's business goals, risk profile, and regulatory compliance requirements."
According to Jackson, health care networks are often less protected than others because there are so many things to evaluate and analyze that those responsible for health information technology may not know where to begin.
HIPAA helped bring about a security culture in health care, he says, but that culture is still more mature in banks and the financial services industry.
"We see [health care organization] people doing their due diligence but not dedicating as much resources even though they have a larger attack surface," he says. "Most health care organizations need to have more people working in IT security than are in the same positions in the financial services industry."
[Editor's note: For more information, contact Don Jackson at (877) 905-6661.]
An 85% increase in the number of Internet hacker attacks on its health care clients has been reported by SecureWorks, a security-as-a-service provider.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.