Medical records: the holy grail of data for cybercriminals
Here’s what’s worrisome: Medical records offer a mother lode of juicy data for hackers, putting health care systems at the top of the to-do list for cybercriminals.
Worse, health systems have lagged in securing medical records from thieves, which means the industry is in need of a serious security reboot, said John Schoew, managing director of health cybersecurity at New York City-based digital consultant Accenture. And a simple click on an email link is often all that’s needed for crooks to get inside a hospital network.
“The industry is lagging behind others in investment,” Mr. Schoew said. “Now, they’re playing catch up.”
A ransomware attack crippled Heritage Valley Health System for six days last summer, closing outpatient centers and delaying surgery. HVHS officials have disclosed few details of the attack.
Mr. Schoew said email is the most common way for hackers to get into a computer network. Email attachments, which can look legitimate, can contain a download link that asks the user to give up log-in name and password information.
The outage that hit Heritage Valley was part of a global attack, which was believed to have originated in Ukraine and struck Kenilworth, N.J.-based drugmaker Merck & Co., multinational law firm DLA Piper of Baltimore, and snack maker Mondelez International Inc., which has offices in East Hanover, N.J. The malware locked computer systems before demanding ransom, paid in bitcoin.
Heritage Vally reported the attack June 27 and had restored its systems by July 3. No confidential patient information was stolen, the health system said.
Cybercrooks covet such data because it’s so rich in information, sometimes including credit card information and Social Security and driver’s license numbers, Mr. Schoew said, fueling prescription fraud, credit fraud and identity theft.
“They’re looking to get log-in credentials, allowing cybercriminals to get inside,” he said. “Once a breach is detected, the goal is to minimize it as quickly as possible.”
Failing to contain the intrusion quickly can be expensive because an extended attack can drive up its cost.
The average cost of cybercrime in 2017 reached $12.5 million per health care organization, a 69 percent increase from $7.4 million reported in 2016, according to findings by Accenture and the Ponemon Institute, a research outfit based in Traverse City, Mich. And an Accenture survey found that 1 in 4 U.S. consumers have had personal medical information stolen from technology systems.
Employees unthinkingly clicking on a download link will continue to be a weak link in computer network security, increasing the need for constant training, experts say. Mr. Schoew has other advice for hospitals.
“Take a risk-based approach to security,” he said. “Understand the threats and vulnerabilities. Make the right investments.”
Heritage Valley Health System didn’t disclose whether a ransom was paid for restoration of its network, but overall the ransomware attack didn’t generate much money for the thieves, Mr. Schoew said. “They ended up making a lot less money than they thought. The good guys found a way to minimize the attack.”