A stolen medical insurance ID or a personal profile with medical and insurance information can fetch about $1 on the many “Dark Web” sites where hackers market to criminal groups the data they have stolen from healthcare organizations, according to cybersecurity vendor Trend Micro.

A comprehensive personal profile with personally identifiable information, Social Security number, appointment schedule, date of birth and insurance ID number can be sold by a hacker for $5, or kept by the hacker to use, for example, for creating false identities.

Ed Cabrera
Ed Cabrera

A complete electronic health record database is valued at as much as $500,000, depending on the size and content. Sometimes, the treasure trove of data stolen is so large and comprehensive that the price can reach $1 million, says Ed Cabrera, chief cyber security officer at Trend Micro.

Also See: Are you patching security holes weekly?

Healthcare organizations need to not just build a firewall and use additional security features. They need to know where various types of data are in an EHR and other systems; where it is being processed; who has access to it; where data is being generated; and where it is being stored.

When criminals break into an organization’s data system, they are making the same assessments, so an organization needs to fully understand its own processes and security practices, Cabrera contends. “Your apps and infrastructure affect your level of risk and vulnerability,” he adds. “If you can’t see it, you can’t defend it.”

Further, if organizations aren’t patching software, they aren’t defending themselves. It only takes minutes or even seconds for a good hacker to attack, but often months pass before a provider, payer or vendor know of the attack. The longer a hacker continues to have access to the data, the more extensive the attack is likely to be, and that’s why organizations need to start paying more attention to detecting attacks and accelerate software patching processes. “Instead of the old way to build a bigger wall, the idea now is to build a better prison,” Cabrera advises.

Patching software is so important and yet remains an afterthought for many organizations, Cabrara contends. Patching should be done on regularly scheduled cycles within an established information security management program and done by experienced personnel, as many security professional don’t have the experience to patch. And don’t forget the older and often forgotten systems that still are live somewhere in the organization, still connected to the network, and hold data.

The bottom line, according to Cabrera, is to protect the business. “It is hard to defend an organization if they are not improving their patch cycle.” More information, in a new report from Trend Micro, is available here.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access