Why Am I a HIPAA Target?
by Scott Koger, 2.24.16
Did you know health data is the number one type of data sought by hackers? One reason it is so popular is because health information is usually much more detailed personal information than say, credit card data.
There is a lot of PHI that goes beyond name, address and phone that can be used to impersonate someone. Secondly, it is the most vulnerable data around, which makes YOU a major target for hackers.
“Half of all data breaches now occur in healthcare. Attacks by hackers on healthcare providers have increased more than 100% since 2010. The FBI warns that health data is highly valued by criminals but healthcare lags badly behind other sectors.
Health data sells for 10 – 20 times more than credit card data.” – 4medapproved
Who Are These Hackers?
Who are these hackers, anyway? Typically in the old days, a nerdy young man in a basement hacked a website and/or network because he could. Those days are mostly over. Today, there are large criminal groups and nation states, especially China or Russia, that seek identifiable data that can be sold on the black market.
What Are They Doing with the Data?
If you are hacked, what happens to the data? Once the data is purchased on the black market, it can be used to pose as an individual at prescription mills, obtaining a drug such as Oxycontin to sell. Hackers could use the information to access financial accounts for individuals, or sell it for identify fraud.
What about the hack that affected nearly 80 million Anthem members and employees? The attack, which may have also impacted millions of non-customers as well, exposed names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data, among other identifiable data. Could have Anthem prevented the hack? Many say the Anthem attack could have been prevented with data encryption. As a general rule, encrypted data is both HIPAA compliant and much safer than unencrypted data.
Of course, there are no solutions for 100% complete protection. Hackers will be hackers and are always perfecting their craft. But that’s no excuse to ignore some simple tasks that can prevent a hacker from accessing your clients’ PHI. What's clear is that a breach -- possibly starting with just one administrator's account -- won hackers access to tens of millions of private records.
But I'm a Small Fish!?
Anthem is the country’s second largest health insurer and you’re just a little guy – why would they hack your data? Here, we go back to the fact that health data is the most useful and most vulnerable of all data out there. Why wouldn’t the hackers seek you out?
M. Scott Koger, CISSP, CRISC, C|EH is an IT Security Specialist and PIMSY Consultant who also serves on PIMSY's Advisory Board.