Ellen Chang | December 29, 2015

Hackers Set to Target Medical Records and Retailers in 2016

Cybercriminals have already begun targeting additional medical records by launching more malware and phishing attacks as they prey on retailers in a concerted effort to steal more identities and sell them in 2016.

Hackers launched rampant attacks last year as many health care and insurance companies were targeted, including Premera Blue Cross, Anthem, Excellus BlueCross BlueShield, CareFirst BlueCross BlueShield and UCLA Health along with the federal government’s Office of Personnel Management, revealing detailed personal information of hundreds of millions of consumers, including their Social Security numbers and bank account information. This stolen information means consumers are extremely susceptible to identity theft and fraud.

Thwarting these cybercriminals will be daunting as hacking becomes ubiquitous and widespread, leaving very little personal data --  ranging from driver’s license numbers to credit scores -- unscathed.

Medical Records Remain a Target

Cybercrimes are the “new health care crisis” as the data breaches over the past five years has led to over 143 million compromised patient records with only more to come, said Oscar Marquez, chief technology officer at iSheriff, a Redwood City, Calif.-based provider of enterprise cloud security solutions. Patient data has largely been immune to attacks in the past as hackers focused on retailers and financial institutions, but now is a prime target, because medical records contain a wealth of information such as Social Security numbers, insurance ID numbers, credit card numbers, addresses and medical history and can be easily used as a weapon to commit fraud, financial theft and identity compromise, he said.

“In 2016, the health care sector will continue to represent a juicy target for cybercriminals, because medical data has more lasting value than other types of information,” Marquez said. “A stolen credit card can be cancelled and fraudulent charges disputed, but resolving medical identity theft is not as straightforward.”

Medical identity theft is burgeoning as a large cottage industry, since these records sell for 10 to 20 times higher than credit card records on the black market, he said.

The largest culprit of these massive breaches could easily be tracked back to the health care insurance industry, because for years these companies neglected updating their technology and cybersecurity, which led to hackers figuring out they will not encounter “much resistance” gaining access to these networks and they are able to “lurk undetected” for longer periods of time, Marquez said.

As more doctors, health care facilities and insurance companies digitize their records, hackers will escalate the number of phishing and spear phishing emails to susceptible patients, because “phishing emails work and the attacks take little effort to execute,” said Amy Baker, a vice president at Wombat Security Technologies, a Pittsburgh, Pa.-based provider of security awareness training solutions.

Phony forms are emailed to the unsuspecting email recipients who reveal sensitive information when they click on a “dangerous” link or enters private data such as passwords, account identifiers or other information, she said.

Since EMV or the chip-and-pin credit card technology is becoming more commonplace and adopted throughout retailers, cybercriminals will forge ahead and will move onto lower-hanging fruit, including health care insurers, Marquez said.

“Any health care organization collecting, storing, and transmitting patient data is vulnerable—from the smallest physician practices, clinics, and labs to the largest hospitals, HMOs, PPOs and insurers,” Marquez said. “As government regulation and public scrutiny heats up in the aftermath of this year’s onslaught of breaches, failure to secure sensitive information is going to be increasingly damaging to profits and reputations, not to mention the healthcare system as a whole.”

Retailers Lax With EMV Adoption

The health care industry has not been the only sector to be attacked with considerable data breaches this year as businesses ranging from T-Mobile and Experian becoming victims as well the government itself.

“There aren’t enough experienced cybersecurity professionals to fill the thousands of job openings,” Marquez said. “The regulatory, financial, and reputational consequences of negative incidents continue to mount. Cybercriminals are organized, sophisticated and everywhere.”

Despite repeated breaches, the retail industry still remains too lax about payments and only a small percentage of businesses have fully embraced and obtained EMV card terminals, leaving consumers still extremely defenseless against further hacking and prone to information being stolen. Many companies have not even obtained EMV card terminals while others allow consumers to bypass the pin option, leaving them open to more fraud.

“The ongoing problems with lax security configuration, weak passwords, and third party access vulnerabilities we’ve seen the last few years will converge with the messy rollout of EMV card terminals,” Marquez said. “Despite the increased security promised by EMV standards, hackers in the coming year will find plenty of opportunities to exploit rushed deployments, customer and cashier confusion and aging POS systems yet to be replaced.”

While there are an estimated 12 million terminals that need to be upgraded, only 40% will be ready by the end of this year, which is a significant issue since many of the major breaches during the past two years were concentrated on the terminal systems being compromised, Marquez said.

“The liability for breaches is increasingly shifting onto retailers,” he said. “The financial costs, lawsuits, federal investigations, customer dissatisfaction and brand damage that follow a breach can be disastrous for a business, its employees and customers.”

Still, despite the fact that there are vulnerabilities elsewhere, health care is looking to be the main target point for hackers in 2016.

Your Apps Could Be an Invitation

Just as you have a check-up for your physical health, be sure to run some tests on the technological of your health life.

Before consumers download an app to their smartphone, they need to ensure it is coming from legitimate app stores such as Google Play, iTunes, or Facebook. In addition, they should change the settings on their phones to prevent app downloads from unofficial stores, said Sam Rehman, chief technology officer of Arxan Technologies, a Bethesda, Md.-based provider of application protection solutions.

Even if you are downloading an app from a health insurance company to check which doctors are in your network, attempt to find out if the app is safe from hacks such as reverse engineering, tampering or malware insertion, he said.

“To ensure that private data and transactions are secure when using your mobile app, demand more transparency about the security of the apps you are using,” Rehman said. “Before you download a mobile app, know the risks you may be opening yourself up to.”

Health care breaches are problematic, because there is “little recourse” once your information has been compromised, said Marc Maiffret, a former hacker in Aliso Viejo, Calif. and former chief technology officer at BeyondTrust, a cybersecurity company.

“In the case of health care institutions, things are not so straight forward in protecting yourself namely, because there is much more identity data stored by healthcare organizations and you are in some cases at the mercy of how good their IT security is,” he said.

Paying close attention to your credit report will alert you to any fraudulent identity usage and for existing accounts, Maiffret said.

Read the article on The Street