A man types on a computer keyboard in this illustration picture taken in Warsaw February 28, 2013. REUTERS/Kacper Pempel
By Caroline Humer and Jim Finkle
NEW YORK/BOSTON (Reuters) - Your medical information is worth 10 times more than your credit card number on the black market.
Last
month, the FBI warned healthcare providers to guard against cyber
attacks after one of the largest U.S. hospital operators, Community
Health Systems Inc, said Chinese hackers had broken into its computer
network and stolen the personal information of 4.5 million patients.
Security
experts say cyber criminals are increasingly targeting the $3 trillion
U.S. healthcare industry, which has many companies still reliant on
aging computer systems that do not use the latest security features.
"As
attackers discover new methods to make money, the healthcare industry
is becoming a much riper target because of the ability to sell large
batches of personal data for profit," said Dave Kennedy, an expert on
healthcare security and CEO of TrustedSEC LLC. "Hospitals have low
security, so it's relatively easy for these hackers to get a large
amount of personal data for medical fraud."
Interviews
with nearly a dozen healthcare executives, cybersecurity investigators
and fraud experts provide a detailed account of the underground market
for stolen patient data.
The
data for sale includes names, birth dates, policy numbers, diagnosis
codes and billing information. Fraudsters use this data to create fake
IDs to buy medical equipment or drugs that can be resold, or they
combine a patient number with a false provider number and file made-up
claims with insurers, according to experts who have investigated cyber
attacks on healthcare organizations.
Medical
identity theft is often not immediately identified by a patient or
their provider, giving criminals years to milk such credentials. That
makes medical data more valuable than credit cards, which tend to be
quickly canceled by banks once fraud is detected.
Stolen health
credentials can go for $10 each, about 10 or 20 times the value of a
U.S. credit card number, according to Don Jackson, director of threat
intelligence at PhishLabs, a cyber crime protection company. He obtained
the data by monitoring underground exchanges where hackers sell the
information.
ATTACKS ON THE RISE
The
percentage of healthcare organizations that have reported a criminal
cyber attack has risen to 40 percent in 2013 from 20 percent in 2009,
according to an annual survey by the Ponemon Institute think tank on
data protection policy.
Founder Larry Ponemon, who is privy to
details of attacks on healthcare firms that have not been made public,
said he has seen an increase this year in both the number of cyber
attacks and number of records stolen in those breaches.
Fueling that increase is a shift to electronic medical records by a majority of U.S. healthcare providers.
Marc
Probst, chief information officer of Intermountain Healthcare in Salt
Lake City, said his hospital system fends off thousands of attempts to
penetrate its network each week. So far it is not aware of a successful
attack.
"The only reason to buy that data is so they can fraudulently bill," Probst said.
Healthcare
providers and insurers must publicly disclose data breaches affecting
more than 500 people, but there are no laws requiring criminal
prosecution. As a result, the total cost of cyber attacks on the
healthcare system is difficult to pin down. Insurance industry experts
say they are one of many expenses ultimately passed onto Americans as
part of rising health insurance premiums.
Consumers
sometimes discover their credentials have been stolen only after
fraudsters use their personal medical ID to impersonate them and obtain
health services. When the unpaid bills are sent on to debt collectors,
they track down the fraud victims and seek payment.
Ponemon
cited a case last year in which one patient learned that his records at
a major hospital chain were compromised after he started receiving
bills related to a heart procedure he had not undergone. The man's
credentials were also used to buy a mobility scooter and several pieces
of medical equipment, racking up tens of thousands of dollars in total
fraud.
MEDICARE FRAUD
The
government's efforts to combat Medicare fraud have focused on
traditional types of scams that involve provider billing and over
billing. Fraud involving the Medicare program for seniors and the
disabled totaled more than $6 billion in the last two years, according
to a database maintained by Medical Identity Fraud Alliance.
"Healthcare
providers and hospitals are just some of the easiest networks to break
into," said Jeff Horne, vice president at cybersecurity firm Accuvant,
which is majority-owned by private equity firm Blackstone Group.
"When
I've looked at hospitals, and when I've talked to other people inside
of a breach, they are using very old legacy systems - Windows systems
that are 10 plus years old that have not seen a patch."
KPMG
partner Michael Ebert said security has been an afterthought for many
medical providers - whether it is building encryption into software used
to create electronic patient records or in setting budgets.
"Are
you going to put money into a brand new MRI machine or laser surgery or
are you going to put money into a new firewall?" he said.
![Doesn't she look BEAUTIFUL?? Copyright: [People] ](https://s2.yimg.com/bt/api/res/1.2/PSZWShpsjnNJTeoNarxw5A--/YXBwaWQ9eW5ld3M7cT04NTt3PTYzMA--/http://l.yimg.com/os/publish-images/omg/2014-09-02/208f9050-3266-11e4-a67e-9b14e83f278d_o-ANGELINA-JOLIE-WEDDING-DRESS-570.jpg "Doesn't she look BEAUTIFUL?? Copyright: [People] ")
![Angelina Jolie with five of her six children. Copyright: [Splash!] ](https://s3.yimg.com/bt/api/res/1.2/9vCxsi4bXj787Odm5HE2HA--/YXBwaWQ9eW5ld3M7cT04NTt3PTYzMA--/http://l.yimg.com/os/publish-images/omg/2014-09-02/33ea4950-3267-11e4-9527-a392c7a420e8_456262b6-5e0a-444e-8397-f80d029ce9bb_angelina-jolie-children-maddox-pax-knox-vivienne-kids.jpg "Angelina Jolie with five of her six children. Copyright: [Splash!] ")
![Brad Pitt showing off his new wedding ring. Copyright [Rex]](https://s1.yimg.com/bt/api/res/1.2/bT6LqTehY5eciQrIspf2zw--/YXBwaWQ9eW5ld3M7cT04NTt3PTYzMA--/http://l.yimg.com/os/publish-images/omg/2014-08-29/48ea8c80-2f69-11e4-8a06-e9efbfb828ec_brad-pitt-wedding-ring.jpg "Brad Pitt showing off his new wedding ring. Copyright [Rex]")
