During its August cyberthreat briefing to Health Information Trust Alliance or HITRUST, the FBI reported that hackers have targeted healthcare related systems and warned that the hackers may be seeking to obtain patients’ Protected Healthcare Information (PHI).
A one page document disseminated to healthcare industry companies which was obtained by Reuters stated, "these actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data.”
The alert coincides with a report by Tennessee based Community Health Systems (CHS) which disclosed an attack on August 18 regarding the theft of over 4 million records including patient names, addresses, birth dates and Social Security numbers.
Although the FBI's alert is not directly linked to the CHS breach, there are similarities in targets, methods and stolen and sought data, according to FBI Supervisory Special Agent Michael Rosanova.
In April, the FBI warned healthcare providers that the industry was vulnerable to hackers as a result of inadequate cybersecurity systems. In an effort to improve the collection and sharing of intelligence regarding Information Security threats within the healthcare industry, the HITRUST portal was created. The portal allows security officers to communicate across the industry and to access a daily intelligence summary where emerging threat reports and incidents of concern (IOC) are posted to communicate vulnerabilities that may relate to the health sector.
Although the banking and financial industries have more advanced cybersecurity systems, Roy Mellinger, Chief Information Officer for WellPoint noted that the healthcare industry has much greater exposure to data breaches because of the number of individuals and entities with access to PHI including payers, pharmacies, diagnostics and labs.
According to the FBI, a stolen social security or credit card number is typically sold for $1 as compared to a partial Electronic Health Record (EHR), which can be sold for $50. That information can then be used to file fraudulent insurance claims, advance identity theft, and obtain prescriptions. Another important factor is that it often takes twice as long to discover medical data breaches because victims don’t immediately realize that their information has been compromised. Similarly, medical devices that include online tracking and monitoring are also at risk.
With the January 2015 deadline to transition to EHRs approaching, the FBI warns that hackers are likely to seek to exploit vulnerabilities.