An American health insurance company has had more than a million records hacked. In France too, hackers are very interested in health data.
It’s not just Sony and the Pentagon that interest hackers. Health data has also been the subject of cyber attacks, the number of which has been steadily increasing in recent months.
The most recent example took place in the United States. This Wednesday, the American health insurance company CareFirst announced that its computer system had been hacked. The hackers would have in their possession the personal data of more than a million policyholders – access to the customer area (login and password), dates of birth, e-mail addresses …
The attack took place in June 2014, but was not discovered until recently, when the insurance company wanted to verify that its computer system was intact after the hacking of several large groups specializing in health (Anthem, Premera et Community Health Systems). A truly far-sighted approach.
This time, medical data has been spared, unlike the attack on Anthem, one of the heavyweights of health insurance in the United States. In January, hackers seized the data of tens of millions of customers, including their names, dates of birth, social security numbers, medical information, income …
A 600% increase in attacks on hospitals
Cyber attacks on health data are taken very seriously by state authorities. Indeed, 2015 will be “the year of the hospital hack”, predicted in December MIT Tech Review, citing a figure that will not fail to challenge. Thus, intrusions into hospital IT systems have increased by 600% over the past year, according to Websense calculations, a cybersecurity agency that works for the US Department of Defense.
“For healthcare organizations, the question is not whether they will be attacked, but when,” writes Lynne A. Dunbrack, Vice President of Research at IDC Health Insights and author of 2014 report on cyber threats in the healthcare sector.
Easy prey
In France, the threat looms. Just two months ago, Labio, a medical biology laboratory, actually paid the price. Some 40,000 identifiers and hundreds of medical check-ups and blood tests ended up in the hands of the Rex Mundi hacker group, which demanded 20,000 euros in ransom in exchange for not publishing the data. Faced with the laboratory’s refusal to comply, the unencrypted reports of a few patients were disclosed on the Internet, and available to everyone for several days.
In fact, hackers seem to have gradually lost interest in banks, with too complex computer systems, to look into healthcare establishments and companies in the medical sector. For lack of resources, or foresight, they have invested very modest sums in their cybersecurity, and are therefore easy prey.
Industrial espionage, black market
According to the website of Figaro, who investigated the subject, hackers also resell this data to insurance companies, who can then adjust their rates with more precise information. The pharmaceutical industry would also be interested in this data, in order to establish statistics and refine their marketing strategies. “A lot of diabetics in Alsace? We therefore target the sale of insulin in Alsace, ”imagines Vincent Trely, president of the Association for the promotion of the security of health information systems (APSSIS), quoted by the newspaper.
Cautious, the CNIL (National Commission for Informatics and Freedoms) has produced a sheet on its website, entitled ” Health data: an imperative, security “. It provides recommendations to “ensure the security of recorded data” and “prevent them from being disclosed or used for misappropriation, especially if the information is covered by medical confidentiality”. With the opening up of health data and the creation of an IT database centralizing them, this problem could be all the more topical. Even if we can bet on the fact that the servers will be more protected than those of the hospitals. Let’s hope so !
.
