A few weeks ago, the FBI warned U.S. healthcare providers that their cybersecurity systems are more vulnerable to hacking compared to other sectors such as retail.
That’s a significant statement because, let’s face it, the retail sector has had tough year in cybersecurity. From 40 million credit and debit card numbers stolen from Target and 1.1 million credit and debit card numbers stolen from Neiman Marcus to an eight-month-long security breach at Michael’s, it’s retail that’s dominated the security breach headlines lately, not healthcare.
But let’s examine the FBI’s reasoning, which includes that personal health information may be even more valuable now than credit card information.
For starters, with all the recent breaches in retail, the online black market for credit cards is currently flooded with supply far exceeding demand driving down prices and therefore cyber criminal profits. Last year, Dell SecureWorks reported that in black markets online, U.S. credit card numbers are only selling for $1 to $2 on average while U.S. heath insurance credentials sell for up to $20. That’s a wide and attractive margin.
At the same time, costs for obtaining credit card information from the retail sector by means of criminal hacking are increasing. The sheer extent of the news coverage of Target and other retail breaches – and the resulting loss of consumer confidence — have prompted that industry to not only prioritize security but also to increase spending to bolster prevention, detection, mitigation and forensics capabilities significantly. That means higher costs, lower payoffs, harder work and more risk for cyber crooks who will likely begin to look for greener pastures elsewhere — such as healthcare.
Like credit cards, personal health information (PHI) can be used to commit basic financial fraud. But unlike credit cards, which have elaborate fraud detection systems in place to detect and prevent abuse, it may take weeks or even months for victims to realize their personal health information has been stolen. This makes personal health information much more valuable than basic credit card information to cyber criminals. And unlike a credit card number which can be simply cancelled, PHI is much more complicated and much more difficult to deny or restrict access to, so thieves may be able to continue to use it for some time even after the loss has been reported to authorities. Finally, and even more disturbing, is that with access to medical records, criminals can also impersonate patients and obtain prescriptions for controlled substances.
Having personally been involved with over 30 Application Visibility and Risk Assessments (AVRs) completed in hospitals over the past year, I can attest that the threat is very real. I’ve seen it all: Botnets, malware, medical device hacking, brute force attempts, DDoS attacks, unauthorized applications, a surprising amount of Pinterest, an unbelievable level of bandwidth abuse, potential confidential Personal Health and financial data loss and a ton of unknown UDP.
While the results of an AVR can be disturbing, they can also be a much needed wakeup call. Completing an AVR with Palo Alto Networks is really the best first step a healthcare organization can take to improve it’s security posture by gaining immediate visibility into what both authorized and potentially unauthorized users are doing on the network.
Generating an AVR is simple and non-invasive. Working with a Palo Alto Networks sales engineer, all that is required is to plug an evaluation box into a span port on your network and within 15 minutes you will begin to see real time network details on applications, users, malware, botnets and likely much, much more you didn’t even know was there.
After seven days of data collection, an AVR report can be generated that will provide a complete diagnostic and checkup on your organization’s overall cyber security health. While it contains no personal or organizational specific information it does include tons of valuable statistical data that can be easily understood by both security professionals and administrators which helps facilitate a candid and fact based discussion on how best to move forward improving organizational security.
If you’re interested in completing an AVR report with Palo Alto Networks you can contact your local sales team or request one here and see what you’ve been missing.
The FBI has proactively issued this warning to healthcare providers rather than wait for a wake-up-call such as the Target breach to motivate change in the sector, which is a good thing. The healthcare industry would be wise to heed it; get an AVR checkup done immediately and don’t let your healthcare organization become the next Target.