CybersecurityFBI warns healthcare providers about cybersecurity

Published 7 May 2014

The FBI has issued a private industry notification (PIN), warning healthcare providers that their cybersecurity networks are not sufficiently secure compared to the networks of the financial and retail sectors, making healthcare systems even more vulnerable to attacks by hackers seeking Americans’ personal medical records and health insurance data. Healthcare data are as valuable on the black market than credit card numbers because the data contain information that can be used to access bank accounts or obtain prescription for controlled substances.

The FBI has issued a private industry notification (PIN), warning healthcare providers that their cybersecurity networks are not sufficiently secure compared to the networks of the financial and retail sectors, making healthcare systems even more vulnerable to attacks by hackers seeking Americans’ personal medical records and health insurance data. Healthcare data is as valuable on the black market than credit card numbers because the data contain information that can be used to access bank accounts or obtain prescription for controlled substances.

Insurance Journal notes that some criminals are combining stolen medical information with credit card data, making it easier to conduct identity theft. A package of stolen consumer data, known as “fullz” or “kitz” on underground exchanges, can sell for $1,000 or more.

According to the PIN, “the healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.” The notice did not mention Healthcare.gov, which has been criticized for its own security flaws, but it did urge recipients to report suspicious or criminal activity to local FBI bureaus or the agency’s 24/7 Cyber Watch.

A series of reports from the private sector have urged healthcare systems to upgrade security measures, but security experts applaud the FBI for issuing its own warning. “I’m really happy to see the FBI doing this. It’s nice to see the attention,” said Shane Shook, an executive with Cylance Inc, a cybersecurity firm.

Retailers and financial institutions have boosted their cybersecurity programs, most recently due to the Target and Neiman Marcus data breaches in which hackers stole millions of customer’s payment card numbers and data. As the supply of stolen payment card data increases, the value of information from those cards is decreasing, leading to an increase in demand for other types of stolen customer information.

It tends to take longer for consumers to realize that their medical information has been stolen or compromised, so medical information remains instrong demand in underground markets. Cybersecurity firm Dell SecureWorks notes that cyber criminals were getting paid $20 for health insurance credentials, compared with $1 to $2 for U.S. credit card numbers prior to the Target breach.

The two-page PIN cited a February 2014 report from SANS Institute which warned that the healthcare industry was ill-prepared to fight growing cyber threats, citing hundreds of attacks on radiology imaging software, video conferencing equipment, routers, and firewalls.