Last week, the Obama Administration announced one of the largest breaches ever of federal employees’ data. This latest breach, involving records of nearly four million current and former government workers, originated in China. There are reports that this breach may have included information from background checks and, therefore, may impact families of federal workers as well. This follows a breach in late May of IRS records where criminals accessed information related to at least 100,000 taxpayers. While the American taxpayers may be on the hook rather than insurers, these breaches provide insight on how the targets for cyber criminals may be shifting from financial information, such as credit card data, to personal/health information. There is also information indicating medical devices in hospitals pose a significant risk.
Medical Records/Personnel Data
The recent breaches in the federal government contribute to a growing trend of hackers targeting data beyond credit card information. Experts believe the shift away from credit card information may be due to the black market becoming oversaturated with credit card information from breaches at big retailers. Hackers seem to be using smaller, more surgical attacks. At present, estimates indicate that medical information may be worth 10 times more than credit card information.
A recent Report indicates that medical devices used in hospitals and clinics may present the weakest point in healthcare’s defense systems. Commentators point out that these newest targets may not be limited to only medical information, but may include diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines) and life support equipment (heart-lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines).
The Report provides details on the following three “real-world targeted hospital attacks:”
- Hospital Lab Blood Gas Analyzer Attack: Blood gas analyzers are devices used during surgery. The Report found attackers “were moving laterally through the networks due to three malware-infected blood gas analyzers that had ‘enabled backdoors into the hospital networks’” and were able to obtain unencrypted data and send that data to sources in Europe.
- Hospital Radiology: In the second example, the Report discusses an intrusion through equipment in a hospital’s radiology department. The source of the intrusion was a nurse’s workstation which had been used on the internet.
- X-ray Systems: The Report also found an example of malware on a hospital’s system that was installed through a backdoor on the hospital’s x-ray equipment.
Based on these scenarios, commentators caution that hackers could do more damage than merely stealing valuable medical data. For example, vulnerable medical devices could give access to drug infusion pumps which would allow drug dosage to be remotely controlled by a person that may not have the best intentions. As for the insurance industry, these scenarios show that a criminal’s access to an insured’s data may not be limited to only a computer network. Electronic devices used by an insured may provide another path to the insured’s assets.
These recent breaches in the federal government, while perhaps having no immediate impact on insurers, show the early stages of how the threat against insureds has evolved past large-scale credit card data theft. Large-scale credit card theft from big box stores such as Home Depot or Target may become less frequent. As seen with the breach on Sony pictures in December 2014, insurers and insureds have to consider a number of potentially valuable assets while considering insurance coverage for data storage risks. Further, the insurance industry may need to consider the impact of smaller attacks rather than only bracing for the “big one.” Consequently, these breaches at the federal government just made assessing the risk more difficult for the insurance industry.