Most hackers who infiltrate health IT systems are seeking financial data, not medical information, according to a new report by Verizon Communications, InformationWeek reports (Versel, InformationWeek, 10/24).
For the 2012 Verizon Data Breach Investigations Report, researchers analyzed 855 data breaches involving more than 174 million records from the health care, financial services, retail and hospitality industries (Irving, PhysBizTech, 10/24).
In the health care and social services sectors, researchers examined 60 confirmed data breaches that occurred during the past two years. They focused on incidents that involved hacking or the introduction of malware. The report did not examine breaches that involved the loss or theft of portable electronic devices (InformationWeek, 10/24).
Health Care-Related Findings
Most of the analyzed health care data breaches affected organizations with between one and 100 employees, most of which were outpatient facilities like medical and dental practices.
Researchers found that such breaches are "almost entirely the work of financially motivated organized criminal groups, which typically attack smaller, low-risk targets to obtain personal and payment data for various fraud schemes" (PhysBizTech, 10/24).
The report noted that the most common health care data breach scenarios involve hackers:
- Looking online for low-risk targets; and
- Infiltrating systems and planting malware to extract data quickly (Hall, FierceHealthIT, 10/24).
In addition, researchers found that about two-thirds of data breaches continue for months before businesses detect them and that most organizations are unaware of the breach until they are notified by law enforcement officials or credit card companies (PhysBizTech, 10/24).
The report recommended that health care providers:
- Ensure that their credit and debit card readers -- also knows as point-of-sale terminals -- are Payment Card Industry Data Security Standard compliant;
- Change passwords on point-of-sale terminals;
- Implement a firewall or access control list on all remote access and administration services; and
- Encrypt user devices and media that contain medical and personal records (FierceHealthIT, 10/24).