It's not your identity they want, or even your credit card number. Those numbers are hard to exploit for quick cash. Banks and card companies have systems that quickly detect fraud.
So, why go after an insurance company? Because it’s easy, and they can get away with really good stuff. What the Anthem hackers
are after is your medical provider account number associated with your name, social security number and birth date.
You see, medical payment companies are now the lumbering wildebeests of the Internet. Staring unwittingly at the veldt as packs of hyenas are eyeing them. They don't seem to understand that they are now the slowest movers in the digital herd. These medical behemoths never had to worry about wholesale fraud. . .until now.
companies have been prey for years. They have learned how to evade their enemies, ever increasing their security postures from the point of sale to payment reconciliation. Now, the value of a stolen credit card number erodes in hours and days as the fraud is detected and stolen accounts are suspended very quickly. Some banks can even deliver your replacement card overnight with little risk or concern to consumer.
What about classic identity theft, then? Why not steal your name, address, birth date and social security number, open a bank account in your name and then make bogus purchases? No, not so fast.
Banks have also been preyed on for years and have figured out ways to evolve their security and yours. It’s much more difficult to turn simple identity theft into easy cash. Banks have tightened their security systems with multi-factor vetting and validation to make this old hustle almost impossible to accomplish anonymously in bulk.
So, what’s a young, tech-skilled, criminal supposed to do to make a few bucks these days?
Predators usually single out the slow and weak to attack. If these hackers can steal a medical account, they can quickly sell that number to black marketers for a price up to ten times more than that of a stolen credit card. Then the black marketers buy the account number to purchase medical supplies and drugs. Some enterprising black marketers will also create authentic looking medical cards to sell to the truly desperate who will use it to go to a clinic, dentist, chain store optometrist or even to seek critical care at an emergency room.
The stolen medical accounts stay valid for months until legitimate patients start getting invoices. Medical companies have needed little fraud detection and therefore their detection and recovery instincts are not yet up to the challenge.
Yet, solutions to reduce medical account fraud are technically straightforward. Simply demonetize the value of stolen medical account numbers by requiring two factor authentication prior to authorizing care delivery. Unfortunately, cyber security solutions are rarely, if ever, purely technical.
First, the medical industry is woefully unprepared for these aggressive digital hyenas. Anti-fraud solutions will be difficult to deploy quickly or cheaply because we are living through the perfect storm in American medicine today. Medical care is provided via a patchwork of independent insurance companies, practitioners and hospitals. Every business interface is another watering hole for predators to hunt.
Second, the industry is reeling from the impact of the Affordable Care Act and its requirements for electronic health record implementation by medical care providers and organizations.
Third, ‘tis the season for mergers and acquisitions. The resulting cost-cutting drills necessary to keep shareholders interested are wreaking havoc on basic cybersecurity practices and processes. Collapsing the industry also means that the existing business systems are hooking up as rapidly as rowdy teenagers on spring break—
with about the same attention to cybersecurity hygiene and protection.
It’s unfortunate, but true. This won’t be the last time we witness a big hack into medical service providers. There's going to be a lot more carnage and victims before the industry is ready and able to protect itself against cyber-based medical fraud like we saw at Anthem.
About the Author: Rick Wilson is currently the Director of Enterprise Cyber Solutions at Intelligent Decisions, Inc., where he leads the commercial and non-intelligence government technical counterintelligence and cybersecurity consulting practice. Rick retired from the National Security Agency in 2014 with prior assignments as the Director’s Deputy Special Assistant for Cyber, Technical Director of NSA’s Technical Counterintelligence Center and Technical Director of DHS’s National Cybersecurity Division.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.