Will hired hackers hit healthcare?

Websites that allow people to hire hackers are popping up and gaining popularity, according to a recent report from The New York Times, and these hired hackers are a major concern for hospitals and health systems.

At a time when significant data breaches are occurring in the healthcare industry, such as the recent one at health insurer Anthem that involved hackers stealing the data of as many as 80 million of its current and former customers, there is a growing industry "of ordinary people hiring hackers," according to the Times.

The process is as simple as going to any of a number of websites that will match people with hackers who will perform tasks for them, including gaining access to email accounts and companies' databases. The Times highlighted one website, called Hacker's List, that provides these services and has put more than 500 hacking jobs out to bid on the website in less than three months.

Healthcare leaders should be concerned about the websites putting hackers out for hire, as those wishing to steal a person's data will be zeroed in on healthcare this year. According to a forecast report from Experian, hackers will be targeting healthcare data more than credit card numbers in 2015.

Why the focus on healthcare data? Because it is the "equivalent to fine dining for cyber miscreants," according to a recent Forbes report. The quantity of information and the value of information a person's healthcare data includes far surpasses that of their credit card information. By getting hold of healthcare data, hackers typically have access to patients' Social Security numbers, payment information, bank accounts, addresses and "troves of personally identifiable information," according to Forbes. Additionally, healthcare data is updated frequently, which is an added plus for those interested in stealing a person's information. 

Sean Murphy, health information privacy and security officer at Leidos, says hackers, including ones that are hired by third parties, are drawn to the healthcare industry because of the value of full health records on the black market. Aarti Shahani of NPR conducted an impromptu investigation and found medical records were being sold in packs of 10 for about $4,700. Credit card numbers can often be purchased for a few cents, according to NPR.

According to Mac McMillan, co-founder and CEO of CynergisTek and chair of the HIMSS privacy and security policy task force, hired hackers should be treated just as any other threat to a healthcare organization's security — as a high priority.

There is no doubt that hackers are focused on the healthcare industry, and Mr. McMillan says that is due to the hacker community seeing healthcare as an easy target. They know the healthcare industry lags in investing in technology and properly addressing security issues. "Survey after survey, report after report and even federal notices, like the one last year from the FBI, highlight the high probability of attacks in healthcare for this reason," says Mr. McMillan.

Mr. Murphy also recognizes the risk of a hospital or health system experiencing a data breach is extremely high. He believes healthcare organizations need to shift where they are focusing their resources to address the issue.

"The adversary knows the controls too — and they work to go around them," says Mr. Murphy. "The resources [healthcare organizations] spend on protecting information should be shifted toward controls like continuous monitoring, incident reporting and disaster recovery."

Outside of hackers gaining access to a hospital or health system's database and stealing information, there is another disturbing threat to healthcare organizations where hackers will make patient data unreadable by using malicious software, called ransomware. When hackers use this technique, access to the patient information is blocked unless the healthcare organization pays a ransom. "This new threat makes adequate backups and recovery processes essential, because if the ransomware is not remediated, the protected health information is lost," says Mr. Murphy.

Hospitals and health systems may feel like they're in a losing battle when trying to avoid sophisticated schemes to steal patient information, especially when websites such as those hiring out hackers are growing in popularity. However, by staying focused on protecting patient information, using data loss prevention methods and assigning resources to responding and recovering from a data breach if one should occur, healthcare organizations can feel more secure in an industry that hackers have their sights on because of its numerous vulnerabilities.

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Featured Webinars

Featured Whitepapers