The devastating cyberattack on Premera Blue Cross shows that medical information is becoming a top target for cybercriminals.
To avoid attacks such as the breach involving more than 11 million people’s medical information, hospital systems, other healthcare providers and insurers should ensure protected health information (PHI) and other sensitive data is locked down whether it’s being stored, moved or processed, data security experts say.
“Whether PHI is in a cloud or on premises, clearly medical data has become a big target,” Gerry Grealish, chief marketing officer for cloud security firm Perspecsys Inc. told SearchHealthIT in an interview. “And from what we’ve seen, it’s becoming even more of a lucrative target.”
Grealish and others in the growing security software and consulting sectors say encryption and tokenization are key to preventing such hacker incursions into both cloud and enterprise-based data networks, but it’s important that those protections be layered on top of firewalls and intrusion detection systems.
When giant insurer Anthem Inc. announced last month that customer data, including bank accounts and clinical records, of up to 80 million people had been breached, the company said no medical data had actually been stolen.
In Premera’s case this week, it’s more likely that medical data also was indeed compromised, the company acknowledged.
Grealish said that with the rapidly expanding digitization of health records, provider and insurer storehouses of PHI can be valuable repositories for criminals seeking to commit medical claim fraud.
Grealish said that while a small piece of medical information about an individual may not be worth more than, say $20, a patient’s entire medical file could fetch $500.
Multiply those prices by several million, and it’s easy to see why cybercriminals have expanded their purview from the financial and retail industries to the healthcare sphere.
In a post on its own blog, Premera, which operates mainly in the Pacific Northwest, with nearly 2 million customers in Alaska and Washington, offered victims two years of free credit and identity monitoring services and said it had hired Mandiant, a major cybersecurity firm.