Medical Data Theft Rising Because of Its Value

5 Common Failures Companies Make Regarding Data Breaches

During one of the (many) conversations I had last week about security, the topic of credit card security came up. A family member had lamented to me about the number of times her credit cards had been re-issued because they may have been compromised in a breach. She found this very upsetting, which I understand – it isn’t fun having to re-set your credit card payments time after time. I brought up this conversation with a security professional later, and he said to me exactly what I said to my family member: If you are going to have anything compromised, let it be your credit card. It is the easiest thing to fix. Well, at least on the consumer end.

Credit card breaches tend to grab headlines because the companies that were breached are well-known, popular brands – Target, Home Depot, Arby’s. Credit cards are tangible, something we deal with every single day. And they are the one bit of stolen information that can be easily replaced.

Much more problematic are the data compromises and thefts that we don’t see but aren’t so easily fixed. Take this news from an Accenture study, for example: One in four people had their health care information stolen, and half of those were the victims of medical identity theft. And this is the statistic that I find most concerning: 50 percent of the victims found out about the breach themselves, not through the entity that was hacked.

As Jeff Hill, director, Product Management, with Prevalent, said to me in an email comment:

The results of the Accenture report will come as no surprise to cyber security professionals.  Stolen medical records can command orders of magnitude more money than stolen credit card numbers on black markets, making them prime targets for cyber criminals.  Unlike a credit card that can be easily cancelled, medical records include Social Security numbers, birth dates, prescription and medical history, insurance data, and other tantalizing information that can be leveraged in multiple nefarious ways, including lucrative Medicare and insurance fraud. With a nod to Willie Sutton, cyber criminals are targeting medical records simply because that’s where the money is.

It appears, however, that the medical industry is better recognizing the risk to patient data and is stepping up its cybersecurity efforts. The 2017 Thales Data Threat Report found that three-quarters of health care organizations plan to increase security spending in the coming year. According to eSecurity Planet, the reason for the increase is clear:

Fully 90 percent of U.S. healthcare organizations feel vulnerable to data threats.

And no wonder, as Lisa Baergen, director at NuData Security, explained to me in an email comment:

The online policy/account registration and authentication process is broken because passwords are just so freely accessible. And hackable. Most medical facilities and insurance companies haven’t yet invested in systems that have insight into consumer behavior and can predict and prevent unusual activity, unlike many financial institutions, which have been fighting the battle with online criminals since the advent of the internet.

We have the public understanding the risks involved in credit card breaches. Now we have to emphasize how more can be done to protect medical data.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba