For a hacker who's looking to make money out of stolen personal information, healthcare systems and hospitals can be a one-stop shop.
Along with the usual names, addresses, dates of birth, Social Security numbers and claims information come credit card and banking account numbers used to process payments.
Cybersecurity experts will tell you the two types of information should be stored in computer systems separated by a firewall to avoid leaving either one vulnerable. Somehow at Banner Health both systems were penetrated.
The Arizona-based hospital system this week said hackers tapped into credit and debit card information belonging to 3.7 million people through point-of-sale, or POS, systems that process payment card data at dozens of food and beverage outlets serving Banner Health locations. Banner operates hospitals in seven states.
The hack occurred on June 17 and went undiscovered until July 7.
Six days later, Banner learned patient information and health plan records on its computer networks may also have been compromised.
Banner spokesman Bill Byron said the incident is under investigation and that details won't be known or shared for weeks.
But the incident has left cybersecurity experts wondering if the healthcare industry, which in the past few years has been hit mercilessly with data breaches and ransomware threats, now has yet another weak spot—the point-of-sale system.
The vast majority of these systems that process credit card payments are brought in by third-party vendors, hooked up to a cash register, plugged into the internet and “away they go,” said Chris Ensey, chief operating officer of consultancy Dunbar Security Solutions.
Point-of-sale systes "are often treated as somebody else's stuff,” he said, adding that the healthcare organizations view the vendors as responsible for the systems.
But each new third-party services provider creates yet another entry point for hackers, he said.
And in fact, a 2012 study by Verizon showed that point-of-sale systems are responsible for 48% of assets compromised in healthcare data breaches.
It's important to conduct audits to review how the systems are interoperating and what vulnerabilities they might reveal during the setup, Ensey said.
Cybersecurity expert Jeremy King said hackers are data omnivores who will feast on one system for one type of data then rummage around for different data, as long as it's marketable.
Criminals regard healthcare records as more valuable than credit card records because their data elements, such as birth dates, addresses and Social Security numbers, can't be readily changed. A credit card, on the other hand, can be canceled once a breach has been discovered.
Last month, a hacker was spotted on the black market offering to sell nearly 10 million patient records for $880,000. A lot of criminals who steal credit card account information will use it themselves for fraudulent purchases or sell it.
Hackers can get anywhere from $5 for the card number to $1,000 for the information contained in account balances, according to Business Insider.
"It's big money,” King said.
King, who is international director of the PCI Security Standards Council, said it's important to maintain a firewall between POS systems and other information networks.
“Segmentation is a way to try and reduce your risk,” he said. “Even then, you've got to make sure you do that segmentation correctly, you've got the systems in place and you test it.”
King also advises access to credit card systems be on a “need to know” basis.
Now, just because Banner's POS system breach was discovered first doesn't mean that was the system that was first hacked, King said. “The forensic investigators will find that out in time.”
Byron, the Banner spokesman, said, so far there is no evidence indicating any of its data were removed or “misused in any way."
Banner's breach is the eighth-largest on the online “wall of shame” kept by HHS. The site lists all breaches of healthcare information involving 500 or more individuals since 2009.
By far the largest breach on the list was Anthem's in 2015. The cyberattack affected the records of 78.8 million individuals. More than 114.1 million individuals' records have been exposed in the past two years.