2014 was a landmark year for the Healthcare Industry when it came to data breaches. 2015 is continuing that trend. According to the Identity Theft Resource Center, the Healthcare Industry accounted for 42 percent of all major data breaches reported in 2014.
Thieves have begun turning their attention to the 3 trillion dollar a year Healthcare Industry, whose data is turning out to be worth more than credit card numbers. The Healthcare Industry has not only seen a sharp uptick in the amount of large, widely publicized data breaches, but also in the value of the data stolen.
The average price of a single stolen credit card has dropped from $35 to under $1 because of flooded supply, causing thieves to look elsewhere for other more profitable sources of revenue. The Healthcare Industry, with its aging infrastructure, slow adoption of security and hasty need to move to electronic medical records, has turned out to be a treasure trove for cyber criminals. Medical data breaches are now rivaling those of the largest retail breaches. We no longer live in an era where the only threat to our privacy is credit card theft. Today’s cyber-attacks make payment data leaks look like petty theft. Our transition to this new era has been sudden; our medical records, social security information and personal data are all at risk. Because medical records are worth ten times more than credit card, they have become a high value target. With so many players in the Healthcare Industry as well as government agencies being compromised, it is difficult to trust anybody with your information.
When I discuss these facts with others, they tend to ask me “How do you even monetize medical data? ”. Two words. Medical Fraud. Once medical data is compromised, thieves can submit fraudulent claims to an insurer for payment, costing you, me, healthcare providers, insurers and everyone in between billions of dollars a year. According to the 2015 Experian Data Breach Industry Forecast report, the cost of healthcare breaches are nearing the $6 billion a year mark. That number doesn’t take into consideration fines, fees, unreported fraud, as well as the side affect on other industries.
It doesn’t stop at medical fraud. Having a patient’s medical history gives a criminal access to sensitive information about that patient, which leads to medical identity theft. Medical identity theft allows a fraudulent person to receive healthcare benefits they’re not entitled to, as well as access to prescription history. This enables thieves to purchase prescription drugs on a patient’s behalf, which are then resold online on black market websites, such as the former Silk Road.
The HPE NonStop, with it’s unique fault tolerant features, high availability and mission critical capabilities, is often in a pivotal position in the healthcare industry and is therefore a prime consumer of medical data. With so much at stake and the ramifications of a healthcare breach so damaging, what can be done and why isn’t more being done about it?
We all understand the quicker you detect a breach, the sooner you minimize the amount of damage an attacker can cause, but the current mean time to detection of a breach is over 200 days. That means an attacker is in your network, on your systems for over 6 months on average, wreaking havoc and most organisations don’t even have a clue.
XYPRO’s XYGATE Data Protection (XDP) powered by HPE Security Voltage has the ability to neutralize the damage caused by a breach by rendering useless that valuable medical and personal data stored on your mission critical systems. A proper implementation of XDP will encrypt or tokenize medical and personal data to ensure continuous interoperability with your applications, while rendering the data useless to a thief. This requires no modifications to your applications. XDP retains the data formats that your applications currently use.
The challenge of protecting sensitive data is no longer a concern only for those organizations who process card payments. The extremely valuable and sensitive nature of Personal Identifiable Information (PII), Personal Healthcare Information (PHI) and medical records have thrust the Healthcare Industry right into the cyber-security spotlight. Implementing the proper security infrastructure to make the ongoing protection of this data is no longer a nice to have, but a critical requirement.
Steve Tcherchian, CISSP