Hackers target health care as industry goes digital
“Cybercriminals know that the health industry is moving into EHRs and there’s more data to steal,” said Ann Peterson, program director at the Medical Identity Fraud Alliance, an organization that works to reduce medical fraud.
Electronic health records, or EHRs, are increasingly being used by hospitals and doctors’ offices to store information such as test results and treatment plans, along with data such as patient names, Social Security numbers and birth dates.
Health insurance companies also use EHRs and store other personal data, such as credit card details, making them attractive targets for hackers. This week, Anthem, one of the largest health insurers in the U.S., said sensitive information on possibly 80 million employees and customers had been exposed during a cyberattack. The information thieves made off with included patient names, Social Security numbers, birth dates and medical identification numbers.
The information can be pieced together and used to commit a variety of types of fraud, making it lucrative for hackers. Social Security numbers, for example, can be used to gain access to bank accounts, noted John Kindervag, a principal analyst at Forrester Research.
By targeting Anthem, hackers were able to access information that is commonly used to reset user names and passwords, said Ian Campbell, CEO of Nucleus Research. People are sometimes asked to enter their mother’s maiden name when signing up for services, for example. Since this information is static, it can be combined with a person’s email address to reset a person’s email account.
“People should ask ‘Will I have a problem 10 years from now because someone knows information that’s not normally available?’” he said.
The health care industry is especially vulnerable compared to retailers and banks, which are more accustomed to cyberattacks, said Lynne Dunbrack, research vice president at IDC Health Insights.
“Cybercriminals tend to think of health care organizations as soft targets. Historically, they haven’t invested much in IT, and security specifically,” she said.
The Anthem breach could affect its finances, Dunbrack said. The U.S. Health Insurance Portability and Accountability Act, which aims to keep health care data private, requires that Anthem notify each victim, a process that costs about US$350 per record, Dunbrack said. Companies that violate HIPAA can face substantial fines. Last year, a New York City hospital was fined $4.8 million after it posted the medical data of 6,800 patients to the Web.
Health care breaches can also lead to an uptick in medical fraud, Peterson said. Health records contain insurance details that people can use to impersonate a hacking victim to receive care. Some insurance plans cover costly procedures that others don’t, so there’s a demand for credentials to access better coverage.
A set of medical data that can be used to receive care may fetch between $20 and $200 on the black market, Dunbrack said.
Fraud victims often don’t realize they’ve been attacked until it’s too late. They might receive a notice from their insurer for treatment they never received. Or they may find out in a more dramatic fashion, such as having an allergic reaction to a drug after an imposter altered a medical record.
“It can be deadly, depending on the level of compromise to the medical records and how much of their data is co-mingled with your data,” said Dunbrack.
People need to be as vigilant about protecting and reviewing their medical data as they are with their credit card information, said Peterson at the Medical Identity Fraud Alliance, noting that laws protect people only to a degree.
“We need to do our part and be aware of our medical information,” he said.
5 Billion Android Apps Open to Hacking
Over five billion downloaded Android apps are vulnerable to being hacked, cybersecurity researchers have found, as attackers exploit flaws in Google’s operating system.
Some 96 percent of malware — or malicious software — employed by hackers target Google Android, according to U.S. firm FireEye, which analysed more than 7 million mobile apps on Android and Apple iOS between January and October 2014.
Apps designed to steal financial data were especially popular, the researchers found. The open-source nature of Android allows hackers to find the code behind a popular app, they said, and recreate the app almost identically but with a malicious code to infect users.
“You can get all the code and then you can insert additional instructions and make it look and feel like the original app and no way for a consumer to tell the difference when they download it,” Jason Steer, director of technology strategy at FireEye told CNBC by phone.
Google did not respond to a request from CNBC for comment.
Malware targeted at Google’s operating system has surged from roughly 240,000 unique samples in 2013, to more than 390,000 unique samples in the first three quarters of 2014, according to the research.
Fireye said that one of Android’s biggest vulnerabilities was the way in which its mobile apps communicate information back to servers. It found that much of this communication was unencrypted, leaving it open for hackers to intercept and insert malicious code that can infect end users.
Advertisements also left some app users exposed. Many apps use third-party advertising software to display ads and make money from users. But Steer said that such data collection was often “aggressive,” and warned that sometimes the software communicates this data in an insecure way, leaving it open to hackers.
It is not only Android apps that are vulnerable, however. Vulnerabilities in apps on iOS devices, once seen as very secure, were also identified.
Previously, hackers could only exploit jailbroken iOS devices with malicious apps. Jailbroken devices allow users to install apps not released through Apple’s App Store. Now, FireEye’s researchers said hackers were able to make malware that can attack a non-jailbroken device.
Apple did not respond to a request for comment.
Opportunistic hackers are also sidestepping Apple’s app verification process.
App developers typically build and test an app in beta mode on Apple’s iOS Developer Enterprise Program. It then goes through stringent tests by Apple for security before it is pushed out on the App Store.
But hackers are now creating apps through this program, then sending them to people via text messages or emails as a link. When a user clicks the link, the malicious app is downloaded on their device.
Steer said that because Apple devices have become so popular, hackers see them as a valuable target.