A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

September 24, 2012 • Issue 12:09:02

Health-care fraud: Back with a vengeance

By Nicholas Cucci
Network Merchants Inc.

Some 25 incidents affecting over 215,000 individuals were added to the tally of health-care breaches in the past month. The total since 2009 is now at 489 such breaches affecting over 21 million individuals. The past month was the second in a row with a substantial number of breaches being added to the total.

Although no new breaches were reported for several weeks in the spring of 2012, 79 incidents have occurred so far this year, affecting nearly 2 million people. The loss or theft of unencrypted computing devices or storage media remains the No. 1 cause. Almost 53 percent of all breaches since 2009 have stemmed from this cause.

One bad apple can wreak havoc

Memorial Healthcare Systems in Hollywood, Fla., revealed the largest of this year's incidents in July. This breach involved unauthorized access to more than 102,000 electronic health-care records, which occurred from Jan. 1, 2011 to July 5, 2012.

MHS posted a statement indicating that, during a review that began April 27, 2012, it "discovered that an employee of an affiliated physician's office may have improperly accessed patient information through a web portal used by physicians who provide care and treatment at MHS." Patient names, dates of birth and Social Security numbers may have been accessed. Some other notable health-care breaches this year took place at:

  • Emory Healthcare in Atlanta, Ga.: Revealed in February, the incident involved 10 missing computer disks affecting 315,000 patient records.

  • South Carolina Department of Health and Human Services: Brought to light in April, the case affected 228,000 Medicaid recipients and involved an employee who allegedly transferred patient information to his personal email account.

  • Utah Department of Health: Disclosed in March, the breach affected 780,000 individuals, exposing 280,000 Social Security numbers.

It's not your ancestor's spear fishing

A threat affecting health-care, among other industries, is spear phishing, in which fraudsters target specific individuals through messaging. This can be done via email, text messaging, short message service or any social media avenue.

Criminals are also using malware attacks to take advantage of security weaknesses in Microsoft Corp.'s Windows operating system. Such malware can be installed via a back-end attack or by getting an employee with administrative privileges to open a malicious link. The fraudster then acquires data by creating an auto-export capability through a file-transfer protocol included in the malware, emailing data, or using an insider to download data onto a separate drive.

Enemies are poised to strike

ISOs and merchants can create barriers to entry by monitoring incoming and outgoing traffic on their networks for anomalies, using third-party forensics companies to evaluate networks and systems, and performing regular risk assessments.

Detecting fraud patterns across multiple channels has been an ongoing challenge for most ISOs, banks and credit unions. After a health-care data intrusion is discovered, organizations are required to disclose the nature and scope of the breach to the Office of Civil Rights, to be added to what is known in the industry as the federal government's "Wall of Shame" (see ocrportal.hhs.gov/ocr/breach/breach_report.jsf). According to the OCR, the health-care records of nearly 30 million people have been compromised since September 2009.

Time to trumpet the message

Most entities - private and public - are doing an abysmal job of protecting data. So this is a good time to broadcast more information about compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) and related security standards, and the Health Insurance Portability and Accountability Act (HIPAA).

Control measures are an important aspect of maintaining secure business practices. The human element is the hardest part to control. The PCI DSS limits access to cardholder data to minimize the risk of theft; access should be strictly limited to people who have a business need for it. Additionally, each person with access must have a unique identifier, and organizations must ensure a full audit trail.

The PCI DSS covers anyone who processes and stores credit card information. PCI compliance requirements are tiered. The amount of data covered directly reflects on the level of PCI compliance an organization must meet. HIPAA covers all health-care providers who have access to and store sensitive medical data.

To obtain full PCI compliance, organizations must follow certain actions, whereas HIPAA sets a distinction between "required" and "addressable" actions. HIPAA contains general rules; the PCI DSS is direct and specific.

Stealing data pays

Following are some current black market values for stolen financial data, according to RSA, the Security Division of EMC Corp.:

  • $1,000 for the name and password of an online bank account
  • $80 for mag stripe data on a premium-level credit card
  • $6 for mother's maiden name
  • $3 for a Social Security number

So take measures now to keep your organization off the Wall of Shame. To paraphrase Sun Tzu (by way of The Godfather's Michael Corleone): Keep your storage devices close, and your employees closer. end of article

Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at ncucci@nmi.com.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing