{"id":5605,"date":"2014-05-19T13:00:08","date_gmt":"2014-05-19T20:00:08","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=5605"},"modified":"2014-05-16T13:51:46","modified_gmt":"2014-05-16T20:51:46","slug":"will-healthcare-providers-next-target-cybercriminals","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2014\/05\/will-healthcare-providers-next-target-cybercriminals\/","title":{"rendered":"Will Healthcare Providers Be the Next \u2018Target\u2019 for Cybercriminals?"},"content":{"rendered":"

A few weeks ago, the FBI warned U.S. healthcare providers<\/a> that their cybersecurity systems are more vulnerable to hacking compared to other sectors such as retail.<\/p>\n

That\u2019s a significant statement because, let\u2019s face it, the retail sector has had tough year in cybersecurity. From 40 million credit and debit card numbers stolen from Target and 1.1 million credit and debit card numbers stolen from Neiman Marcus to an eight-month-long security breach at Michael\u2019s, it\u2019s retail that\u2019s dominated the security breach headlines lately, not healthcare.<\/p>\n

But let\u2019s examine the FBI\u2019s reasoning, which includes that personal health information may be even more valuable now than credit card information.<\/p>\n

<\/p>\n

For starters, with all the recent breaches in retail, the online black market for credit cards is currently flooded with supply far exceeding demand driving down prices and therefore cyber criminal profits. Last year, Dell SecureWorks reported<\/a> that in black markets online, U.S. credit card numbers are only selling for $1 to $2 on average while U.S. heath insurance credentials sell for up to $20. That\u2019s a wide and attractive margin.<\/p>\n

At the same time, costs for obtaining credit card information from the retail sector by means of criminal hacking are increasing. The sheer extent of the news coverage of Target and other retail breaches \u2013 and the resulting loss of consumer confidence -- have prompted that industry to not only prioritize security but also to increase spending to bolster prevention, detection, mitigation and forensics capabilities significantly. That means higher costs, lower payoffs, harder work and more risk for cyber crooks who will likely begin to look for greener pastures elsewhere -- such as healthcare.<\/p>\n

Like credit cards, personal health information (PHI) can be used to commit basic financial fraud. But unlike credit cards, which have elaborate fraud detection systems in place to detect and prevent abuse, it may take weeks or even months for victims to realize their personal health information has been stolen. This makes personal health information much more valuable than basic credit card information to cyber criminals. And unlike a credit card number which can be simply cancelled, PHI is much more complicated and much more difficult to deny or restrict access to, so thieves may be able to continue to use it for some time even after the loss has been reported to authorities. Finally, and even more disturbing, is that with access to medical records, criminals can also impersonate patients and obtain prescriptions for controlled substances.<\/p>\n

Having personally been involved with over 30 Application Visibility and Risk Assessments (AVRs) completed in hospitals over the past year, I can attest that the threat is very real. I\u2019ve seen it all: Botnets, malware, medical device hacking, brute force attempts, DDoS attacks, unauthorized applications, a surprising amount of Pinterest, an unbelievable level of bandwidth abuse, potential confidential Personal Health and financial data loss and a ton of unknown UDP.<\/p>\n

While the results of an AVR can be disturbing, they can also be a much needed wakeup call. Completing an AVR with Palo Alto Networks is really the best first step a healthcare organization can take to improve it\u2019s security posture by gaining immediate visibility into what both authorized and potentially unauthorized users are doing on the network.<\/p>\n

Generating an AVR is simple and non-invasive. Working with a Palo Alto Networks sales engineer, all that is required is to plug an evaluation box into a span port on your network and within 15 minutes you will begin to see real time network details on applications, users, malware, botnets and likely much, much more you didn\u2019t even know was there.<\/p>\n

After seven days of data collection, an AVR report can be generated that will provide a complete diagnostic and checkup on your organization\u2019s overall cyber security health. While it contains no personal or organizational specific information it does include tons of valuable statistical data that can be easily understood by both security professionals and administrators which helps facilitate a candid and fact based discussion on how best to move forward improving organizational security.<\/p>\n

If you\u2019re interested in completing an AVR report with Palo Alto Networks you can contact your local sales team or request one here<\/a> and see what you\u2019ve been missing.<\/p>\n

The FBI has proactively issued this warning to healthcare providers rather than wait for a wake-up-call such as the Target breach to motivate change in the sector, which is a good thing. The healthcare industry would be wise to heed it; get an AVR checkup done immediately and don\u2019t let your healthcare organization become the next Target.<\/p>\n","protected":false},"excerpt":{"rendered":"

A few weeks ago, the FBI warned U.S. healthcare providers that their cybersecurity systems are more vulnerable to hacking compared to other sectors such as retail. That\u2019s a significant statement because, let\u2019s …<\/p>\n","protected":false},"author":40,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[155,138,410],"tags":[469,468,465,139,466,467],"coauthors":[],"class_list":["post-5605","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-2","category-healthcare","category-vertical","tag-application-visibility-and-risk-assessments","tag-avrs","tag-cybercriminal","tag-healthcare-2","tag-personal-health-information","tag-phi"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/5605","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=5605"}],"version-history":[{"count":1,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/5605\/revisions"}],"predecessor-version":[{"id":5606,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/5605\/revisions\/5606"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=5605"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=5605"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=5605"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=5605"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}