Cybersecurity experts from HP Security Voltage, Lancope, Tripwire and Secure Channels commented on news of a breach at healthcare provider CareFirst potentially affecting more than 1 million customers.
Mark Bower, Global Director, Product Management, HP Security Voltage (www.voltage.com):
“Healthcare entities are the new data gold mines for attackers. The data is lucrative, often unprotected, and useful for medical and identity fraud. Unfortunately, many healthcare firms do not have modern data-centric protection in place to neutralize breach risks of these kinds of attacks and are thus vulnerable to being plundered from advanced malware. One reason for this dilemma is the lack of regular enforcement of security standards like PCI DSS. Approaches that simply meet minimum compliance regulations are clearly not sufficient.
Other industries like banking, payment processing and retail have learned all too painfully that being compliant means nothing when the attackers are already inside, stealing data from behind the quickly dissolving perimeter. It’s time for the healthcare entities to shift gears to modern data security defenses and join their peers in other industries who’ve already learned how to mitigate these threats and neutralize their data from advanced attacks to protect valuable data assets, enable data-rich analytic insight without risk, and prosper as a result to the delight of their customers.”
Ken Westin, senior security analyst, Tripwire (www.tripwire.com):
” Unfortunately, our predictions regarding the healthcare industry becoming a major target being played out. Both insurance and provider organizations have becoming targets by criminal groups because the data stored on these systems has become more significantly valuable over time as criminal syndicates have found ways to monetize it. In general healthcare organizations are not prepared for the level of sophistication associated with the attacks that will be coming at them. It’s no surprise that several organizations have been targeted and compromised.
As we saw with the recent tidal wave of retail breaches, attackers often take advantage of vulnerabilities that are endemic within an industry through common tools, frameworks, data storage/sharing methods or business processes.
Healthcare customers should pay attention because these in these types of breaches free credit monitoring and identity theft protection services ware actually very useful.
This is the type of breach that can’t be mitigated by changing your credit card number because the data stolen is not something that can be changed. Victims of healthcare breaches will find that their SSN, work history, DOB and other personal data is freely available in underground markets, or shared within various fraud rings.
Elderly victims can be targets of extensive fraud because as criminals can use this information to create deceptive campaigns using scare tactics and other methods designed to exploit the trust these consumers have in healthcare organizations in order to extract additional information and money from them.”
Gavin Reid, Vice President of Threat Intelligence, Lancope (www.lancope.com):
“Large scale attacks to hospital patient record databases, along with areas that are doing medical research, can be extremely valuable source data for pharmaceutical and other medical research. Some medical offices have unique patient records & histories spanning years that could never be recreated and have a huge research value. Secondly the patient records themselves often have very complete PII (Personal Identifying Information) sets that are easily used in the more common data theft scenarios. The last and increasingly common reason is where medical identity theft is used to create fraudulent insurance claims using a stolen identity
What can be done to stop it? The medical industry as a whole has to up its game in security maturity especially basics like patching, security controls and incident detection.
What can a consumer do to protect him/herself? Limit who has your personal data when possible – share only with trusted providers that have a need to know. Be vigilant if you ever come across a medical bill in your name that covers services you didn’t receive – even if there is no associated bill or charge.”
Richard Blech, CEO, Secure Channels (www.securechannels.com):
“CareFirst said the breach was limited to information like customer names, email addresses and birth dates but not more confidential information like medical records and Social Security numbers. I find trivializing what kind of data is stolen as counterproductive. The data stolen is enough to steal the consumer’s identity and ruin someone’s life. Trying to mitigate the damage should not be the goal, all the healthcare industry had to do was encrypt the data in the first place. Deep encryption solves your basic problem, no data is available if breached. So breach away, all the hacker will find is useless bits and bytes. Heath insurance firms cannot ignore the responsibility to protect their customers. As I always say… security is not an afterthought.”