Point-of-sale systems often offer access to healthcare cybercriminals


Small to medium-sized medical offices attract the bulk of data breaches within the healthcare sector, according to Verizon's 2012 and 2011 Data Breach Investigations Reports. On Oct. 24, the communications firm provided snapshots of the healthcare, financial services, retail and hospitality industries after analyzing 855 data breaches involving more than 174 million compromised records.

[See also: Data-centric security a first step for physicians' mobile device strategies]

The healthcare snapshot reveals that most breaches occurred in businesses with one to 100 employees. Most of the incidents happened at outpatient care facilities such as medical and dental offices.

Verizon reported that attacks were "almost entirely the work of financially motivated organized criminal groups, which typically attack smaller, low-risk targets to obtain personal and payment data for various fraud schemes."

The report noted that most attacks involved hacking and malware, and often focused on point-of-sale (POS) systems. Nonetheless the study acknowledged the need to protect medical devices and electronic health records (EHRs).

[See also: Safeguarding patients' PHI]

"The good news," the report stated, "is that most attacks can be prevented with some small and relatively easy steps." Here are Verizon's recommendations for healthcare facilities:

  • Change administrative passwords on all POS systems. Hackers constantly scan the Internet for easily "guessable" passwords.
  • Implement a firewall or access control list on remote access/ administration services. If hackers can't reach your system, they can't easily steal from it.
  • Avoid using POS systems to browse the web.
  • Ask your POS vendor for information on how to make your system compliant with the Payment Card Industry Data Security Standard.

Electronic medical records stored in a file or database server are less likely to be targeted than POS systems and desktops. "At first glance, this may seem counterintuitive, the report stated, "…but most cybercriminals are more interested in accessing your bank account and applying for loans in your name than they are the details of your last medical exam."

Much like in the retail and food services industries, the money trail in healthcare often leads to the POS systems that process the co-payments for patient visits.

The research also found that close to two-thirds of all breaches go on for months before the business knows it has been compromised. "What's more," the report said, "they almost never detect it themselves; they're typically notified by law enforcement or by credit card brands that have detected the incident through fraud analysis."

You can read the full healthcare industry snapshot here.

Comments (1)

B: Trying to get the personal financial account information is the simplistic, brute-force attack on the front door. The more advanced attacks will use the personal health information to quietly get in the back door of a much larger target...your insurance provider. It's not that hackers/criminals want to the details of your last medical exam. It's about healthcare fraud. They want to see what type of coverage exists so they can setup shop to submit fraudulent claims to get at the big money pool of your insurance provider that would also be available to them over a longer term. Also, your personal health details can easily be used in further social engineering attacks on your financial accounts. If they get your DOB, they are a big step closer to access your financial accounts.

Add new comment