“Why would hackers go after data in healthcare? What’s the point of it?”
The above question comes up routinely in healthcare security training. Healthcare workers understand and appreciate the need for cyber security training, and also appreciate it’s required. Inquisitive by nature, these staffs want to understand the correlations and connect the dots that don’t seem to join on the surface.
Certainly, it’s easy to see the appeal of going after banks or credit card institutions from a hacker’s point of view: stealing money is a common motive in crime. Hacking government entities can also be reasoned as a target for hackers: revolt or protest or general disobedience can likely be seen as the cause.
Yet why would hackers specifically target healthcare entities?
The answer may not be as clear-cut when compared to the financial industry or government entities. And there are a number of possible reasons, some of which may be working in unison.
Unfortunately, many healthcare entities are still easy prey compared to financial or government targets. Healthcare systems are complex, which affords many opportunities for technical weaknesses or flaws that can be exploited. There are also a number of legacy systems still in operation due to technical or budgetary constraints. A legacy system is often so old it no longer receives security updates or patches, but there might not be a viable or affordable, replacement system for the facility to migrate to using.
The healthcare industry still isn’t under laws or requirements that are as strict as the Payment Card Industry (PCI) that governs the financial sector. While HIPAA, HITECH and the Omnibus Final Rule did bring laws into place, the legislation is still vague and subject to a potential range of interpretation for implementation of security practices.
Medical records are a treasure trove for criminals looking to buy or sell illicit information or capitalize on fraudulent credit. A credit card number or bank account number is easily lost to a hacker: one fraudulent charge is usually all it takes to tip off the account holder that the account has been compromised and subsequently closed. That’s not the case for the data in a medical record, which also happens to be the same information needed to create a fraudulent credit account. Dates of birth, full names, social security numbers, information regarding next of kin – these types of information are static and can’t be changed like a stolen credit card number.
Finally, the data healthcare facilities hold is more easily used as leverage than that of other industries. While ransomware can affect any and all sectors from transportation and distribution to law firms, not many others can potentially hold lives in the balance if the information was not readily available to the worker staff. This urgency is often leveraged to try to force healthcare into paying the ransoms.
The stakes are high for all information security in the digital age. Understanding how important healthcare cyber security can give staff an advantage against hackers.