CYBER SECURITY FOR TODAY’S HEALTHCARE ORGANISATIONS

RC: Could you outline some of the reasons why the data held by healthcare organisations is particularly attractive to cyber-criminals? Are health and medical record among the most at-risk information assets?

Moyers: The data held by healthcare organisations is far richer and more persistent than many other forms of personally identifiable data. It frequently contains names, birth dates, addresses and national identification numbers of patients and their dependants. In addition, it may contain policy numbers, diagnosis codes and billing information and information on doctors and other providers. This information is difficult, if not impossible, for victims of identity theft to change, unlike credit card numbers which can be cancelled in minutes. The health information in a medical record can be used by criminals to purchase medical equipment or drugs that can be resold or it could be used to present claims to insurance companies in order to seek cash reimbursements. These crimes can take a long time for the victims to detect allowing the perpetrators time to protect their ill-gotten gains. The value of health information is estimated to be 10 times that of other stolen data.

Plesco: Healthcare information or PHI – protected healthcare Information – is very valuable to fraudsters or nation state intelligence operations as it contains all the information needed to fraudulently open a credit card, loan or mortgage application ,and in some venues like the US, to file false tax returns. From an intelligence perspective, it provides a view of a target’s health to potentially open leverage points on a target or his or her family and friends. This is information that is targeted and can be exposed including patient names, home address, telephone number and date of birth, social security numbers or similar unique identifiers, invoice numbers, procedure codes, dates of service, charge amounts, balance due, policy numbers and billing-related status comments. Healthcare data, in some cases if complete, is worth more on the cyber black market per full record than stolen financial data such as bank account information or credit card numbers. They are second behind financial data with regard to black market value.

Jul-Sep 2015 Issue

KPMG