Protecting Medical Identity Is a Must-Win Battle in the War for Cybersecurity
By Rep. Robin Kelly
Feb. 12, 2015, 11:51 a.m.
The cyberattack carried out recently against Anthem, one of the nation’s leading health insurers, is yet another stark reminder of the persistent threats American businesses and consumers face in the digital age.
While attacks on retailers such as Target, the Home Depot and Neiman Marcus already provide grounds for concern, the Anthem attack is disturbing because it presents the most high-profile example of a “new norm” in cybercrime — the theft of medical identity records. These attacks are especially disturbing because medical records contain highly sensitive information about individual Americans.
Health companies are so besieged by cyberattacks that, according to a study by the data protection research firm the Ponemon Institute, 90 percent of health care organizations have had at least one data breach over the past two years. The names, birth-dates and Social Security numbers that health care businesses house on their networks are attractive to cybercriminals because they help them open up fake lines of credit or to plan other crimes. And larger criminal organizations are willing to dole out huge sums of cash for sensitive medical data. According to a New York Times article by Reed Abelson and Julie Creswell, recent black market auctions have seen complete patient medical records valued at higher prices than credit card numbers. One such auction saw patient medical records sell for as high as $251, while credit card records sold for 33 cents. The reason for this tremendous price disparity is simple; many cybercriminals believe the $3 trillion U.S. health care industry offers the best opportunity to grab huge batches of valuable personal data with the least cyber-resistance (as many health care companies still rely on aging computer systems with outdated security features).
As with any marketplace (criminal or otherwise), new entrants will be drawn to attack health insurers and companies hosting sensitive medical data by the allure of profit. As industries catch on to cybercriminals’ modus operandi, these bad actors will look to innovate their way around newly integrated cyber-defenses and find ways to increase the sophistication and impact of their attacks.
While 80 million people may have been affected by this breach alone, the attack at Anthem is a microcosm of the much larger problem facing the health care service sector. Cybercriminals are as committed as ever to placing the livelihood of American families, workers and businesses in jeopardy for personal gain or for pure pleasure. So what can we do to stop these criminals in their tracks before they cause irreparable harm to our jobs, personal information, and safety? Here are a few suggestions.
First, government (state as well as federal) and industry must better coordinate the sharing of actionable threat information to thwart cyberattacks. The cybersecurity proposal that President Barack Obama released last month will spur public/private cyber-information-sharing and encourage responsible cyber-threat reporting to the Department of Homeland Security’s National Cybersecurity and Communications Integration Center. This will allow for real time coordination between relevant federal agencies, state partners and private sector-developed and operated information sharing and analysis organizations by providing targeted liability protection for companies that share information with these entities.