For a hacker who's looking to make money out of stolen personal information, healthcare systems and hospitals can be a one-stop shop. Along with the usual names, addresses, dates of birth, Social Security numbers and claims information come credit card and bank account numbers used to process payments.
Cybersecurity experts advise that the two types of data should be stored in computer systems separated by a firewall to avoid leaving both vulnerable if one is hacked. At Banner Health, both systems were penetrated.
The Arizona-based health system said last week that hackers tapped into credit and debit card information through point-of-sale systems that process payment card data at dozens of food and beverage outlets serving Banner locations. Banner has hospitals in seven states.
The hack occurred June 17 and went undiscovered until July 7. Six days later, Banner learned patient information and health plan records on its computer networks may have been compromised. In total, records belonging to 3.7 million people may have been affected. Banner spokesman Bill Byron said the incident is under investigation and details won't be known for weeks.
But the breach has left cybersecurity experts wondering if the healthcare industry, which in the past few years has been hit mercilessly with cyber attacks and ransomware threats, now must worry about their point-of-sale systems as weak spots.
Most of these systems are brought in by third-party vendors, hooked up to a cash register, plugged into the internet and “away they go,” said Chris Ensey, chief operating officer of consultancy Dunbar Security Solutions. Point-of-sale systems “are often treated as somebody else's stuff,” he said, adding that the healthcare organizations view the vendors as responsible for the systems. But each new third-party service provider creates yet another entry point for hackers, he said.
A 2012 Verizon study found that point-of-sale systems are responsible for 48% of assets compromised in healthcare data breaches.
It's important to conduct audits to review how the systems are interacting and what vulnerabilities they might reveal during setup, Ensey said.
Cybersecurity expert Jeremy King said hackers are data omnivores who will feast on one system for one type of data then rummage around for different data.
Criminals regard healthcare records as more valuable than credit card records because their data elements, such as birthdates, addresses and Social Security numbers, can't be readily changed. A credit card, on the other hand, can be canceled once a breach is discovered. Many who steal credit card account information sell it. Hackers can get from $5 for a card number to $1,000 for the information contained in account balances, according to news website Business Insider.
King, who is international director of the PCI Security Standards Council, said it's important to maintain a firewall between point-of-sale systems and other information networks.
Byron, the Banner spokesman, said so far there is no evidence indicating any of its data were removed or “misused in any way.”
When posted, Banner's breach will be the eighth-largest on HHS' online “wall of shame,” which lists all healthcare data breaches involving 500 or more individuals since 2009.