One of the biggest threats Americans face this year is with their health — information.
The health-care sector fell victim to hackers multiple times in 2015, and the targets included some of its biggest companies: Anthem, Premera Blue Cross and CareFirst BlueCross BlueShield were all hacked last year. In the process, a total of nearly 95 million patient records were exposed. Once inside the databases of health organizations, cyber criminals potentially have access to Americans' most sensitive personal information, including Social Security numbers, health insurance ID numbers, and even employment and income data.
Why hackers are targeting health care now is two-fold: In part, it's because hackers can make more money selling people's personal information compared to what they can make selling only credit card numbers. It's also partly because of the ease with which hackers can crack the health industry's defenses.
"They're open, leaky systems. It's probably easier to break into a hospital system than it is to break into a bank system," said Katherine Keefe, head of Breach Response Services at Beazley, which provides breach coverage and cyberliability insurance to nearly 500 hospitals and health care providers in the U.S.
Health-care industry experts indicate that providers and the roughly 5,000 hospitals in the U.S. will be just as vulnerable to data breaches in 2016.
Greg Bell, U.S. leader for KPMG Cyber, said much of the focus has been on gaining access to health care systems and exfiltrating (withdrawing) the data, but another form of attack can be even more troubling for the health-care industry. "Think about implications where access to that data is restricted, and then someone says, 'Pay me X dollars or we won't give you the password to the encrypted data,'" Bell said.
Bell's question is no longer theoretical. This week, a Los Angeles hospital's computer network was crippled by hackers who demanded a ransom of near-$4 million in bitcoin to release the hospital's "kidnapped" servers.
Beazley data shows that the company dealt with 750 breaches last year compared to 500 in 2014 — and that hacking was the root cause of roughly one-quarter of those breaches. (Other causes include loss of a physical hard drive or device with data on it, payment card fraud and insiders handing over information. The second-biggest reason for data breaches after hacking was "unintended disclosure," such as an outsider posing as a company employee and being given information by an unwitting company employee.)
KPMG paints a similar picture: In a survey conducted last August, 81 percent of 223 executives in charge of health-care providers and health plans said that their organizations had been the target of at least one cyberattack over the last two years.
According to Gartner security analyst Avivah Litan, the health-care industry is about a decade behind the financial services industry when it comes to security, which makes the entire sector a tempting target for a cyber attack. Hackers are now homing in on health care because they've discovered that while credit card numbers sell for only a few bucks, information about people obtained by combing through their health-records can sell for more than $30.
"Criminals have discovered how much personally identifiable information sells for on the black market, and health-care companies are really good targets for personally identifiable information," Litan said.
Premera Blue Cross and CareFirst BlueCross BlueShield did not respond to a request for comment. Anthem directed CNBC to its AnthemFacts website, which the company set up in the wake of its data breach.
Health-care companies have become more vigilant about training employees on how to spot phishing attacks — the credible-looking email with a malware-infested attachment an employee shouldn't open up. Bell said such attacks continue to be the most common way hackers infiltrate health care systems. Of the 223 health-care executives KPMG surveyed in August, 65 percent of them cited malware as the "most frequently reported line of attack."
When you go to the doctor and fill out a form, if there's a space for your Social Security number, don't put it down.Katherine Keefehead of Breach Response Services at Beazley
As cyber attacks against health-care companies continue, Bell warned that attackers' methods will become more sophisticated to the point where hackers will target specific employees inside health-care organizations. "Hackers can do things like ID existing employees and, with a little bit of online research, they can learn information about the individual," he said. "They can target that email to that individual to make them more likely to trust that email. If you're targeting a bill administrator, for instance, it looks like a bill or an invoice."
"External actors will eventually infiltrate any network, and you need to assume that," said Roy Katmor, CEO and co-founder of data exfiltration prevention company enSilo. "But data breaches are preventable."
To better protect their networks and sensitive patient information, health-care organizations should be spending their time making sure data isn't extracted during or sometime after a cyber attack, Katmor said. The solution is to block an outbound malicious connection. Instead of preventing the initial breach, enSilo works to shut it down as a hacking attack is in progress, which enables a user to continue their work on a compromised computer or tablet.
Gaps in the Health Insurance Portability and Accountability Act (HIPAA) don't help.
According to Karen Porter, executive director of Brooklyn Law School's Center for Health, Science, and Public Policy, the security requirements contained in HIPAA are not as strict as the security requirements for financial services companies.
Health-care organizations can find themselves in trouble if they haven't "followed what HIPAA really asks them to do," Beazley's Keefe said, referring to the HIPAA Privacy and Security Rule. Health-care organizations must "Identify and protect against reasonably anticipated threats to the security or integrity of the information," the rule states, and conduct risk analysis of their online patient data. The government provides a risk analysis tool that companies can opt to use on a voluntary basis.
In recent years, the U.S. Department of Health and Human Services Office for Civil Rights has been fining health organizations for failing to implement policies to detect and contain security breaches. WellPoint — now known as Anthem — was fined $1.7 million in 2013 by HHS after the federal agency said the company left some 600,000 patient records "accessible to unauthorized individuals over the Internet."
That might be cold comfort for the everyday consumer hoping to safeguard their health information.
"If you're really paranoid, you should get identity theft protection, but that protects you for only maybe 10 percent of the information that can be stolen," Litan said. "All you can do is monitor your accounts diligently, so if hackers use it to steal data or money you can report it right away."
Consumers aren't totally defenseless. Diligently monitoring credit card accounts ensures that no fraudulent charges go unnoticed. And Keefe said that "most diligent organizations" in the health-care industry have done away with identifying people using their Social Security numbers, although there's a simple thing consumers can do to fortify their health histories.
"When you go to the doctor and fill out a form, if there's a space for your Social Security number, don't put it down," she said.
— By Andrew Zaleski, special to CNBC.com
