The FBI reportedly sent a warning to healthcare providers that weak cyber security practices are leaving the industry exposed to attacks.
According to a report in Reuters, the agency sent a private notice to healthcare companies stating the industry "is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely."
The data these firms possess could be a potential boon to hackers. In a report last year, Dell SecureWorks outlined the underground market for pieces of health insurance information ranging from contract numbers to the type of plan a customer has purchased. These packages of data, which can also feature verified bank account numbers and other information, are known in the cyber-underground as 'fullz.' Last year, fullz tended to go for about $500 depending on what was included, with health insurance credentials going for about $20 each with an additional $20 added whenever there is a dental, vision or chiropractic plan associated with the health plan, according to Dell SecureWorks.
News of the FBI warning comes after a cyber-security exercise for the healthcare industry known as the 'CyberRX Initiative.' The initiative is the result of a joint effort by the Health Information Trust Alliance (HITRUST) and the U.S. Department of Health and Human Service (HHS) aimed at determining how prepared organizations are to address cyber-threats. The first exercise was conducted during a seven-hour period on April 1, and the results were released Monday.
During the exercise, the organizations demonstrated varying levels of ability to use threat intelligence, communicate internally and work with external partners in the industry and in government.
The "weakness isn't necessarily on technology implementations, it's the ability to coordinate and collaborate across the myriad of participants in healthcare," Roy Mellinger, WellPoint's vice president and CISO, said in a phone briefing on the CyberRX results on Monday, SecurityWeek reported.
In February, the SANS Institute and security vendor Norse released a report on the healthcare industry, concluding "personal health care information (PHI) and organization intellectual property, as well as medical billing and payment organizations, are all increasingly at risk of data theft and fraud."
"Poorly protected medical endpoints, including personal health devices, become gateways, exposing consumers’ personal computers and information to prowling cybercriminals," according to the report.
"Healthcare networks are not typically built with inherent mechanisms for detecting leaks or breaches in the way that financial networks might be," said Trey Ford, global strategist at Rapid7. "When payment information like credit and debit cards are stolen and moved to the black market, the payment system is designed to pinpoint a 'common point of purchase' so affected accounts can be quickly identified and isolated."