The consequences of these breaches are not cheap: over the past few months alone, healthcare organizations in violation of HIPAA have paid millions of dollars in fines. In February, a Miami, Fla.-area non-profit paid $5.5 million to settle a HIPAA case, while a Dallas-area hospital had to pay a $3.2 million HIPAA penalty.
Although healthcare has already seen 97 breaches in 2017, healthcare providers are treating privacy and security as one of their top priorities this year, according to a report released last week by HIMSS at its annual conference.
And it’s not just the big healthcare companies that are the target. Think your chiropractic office is too small for crooks to care? Think again. In May of 2016, Complete Chiropractic & Bodywork Therapies (CCBT) of Ann Arbor, MI had to notify 4,082 patients that their data had been breached after malware was discovered on one of the company’s servers.
The malware was discovered on March 19, 2016, after the server malfunctioned. The malfunctioning of the server triggering CCBT’s security protocols which included isolating the server, blocking Internet access, and changing all workstation and third party passwords. CCBT also installed an additional firewall as an extra precaution.
External forensics experts were brought in to investigate the security incident. Their investigation revealed malware had been installed which scanned the network for passwords and login information and transmitted sensitive data to the hacker(s) command and control server.
Malware – the Silent Culprit in Healthcare Payment System Breaches
Think about how you accept credit and debit cards today. Is it through a terminal where patients make payments? If so, are you assured that payment information is encrypted in the terminal and never reaches your point of sale (POS) system or network, where it could be exposed in the event of a data breach? And are you also certain that none of your offices store or record card numbers in your systems “in the clear”?
Hackers want credit and debit card information because they can resell this information on the black market. Fraudsters then, in turn, purchase the information and use it to buy goods online or in stores.
Malware – a fancy name for malicious software that has been installed in POS system to find clear-text credit and debit card numbers – has been the cause of the majority of data breaches at the POS in the past few years.
Malware can infiltrate a POS or network in a number of different ways:
Third party vendor: In the case of the Target breach, hackers stole credentials from a third party vendor and were able to gain access to Target’s POS system. Once in, they were able to install the malicious code to locate debit and credit card information.
Phishing email: These are phony emails sent by hackers that entice the user to click on a bogus link which will then install malware on the PC, which infiltrates to the network to find clear-text card information.
Faulty security systems: Failing to install common security mechanisms, such as firewalls and penetration scanners, can provide hackers a loophole to get into your system and install malware.
While malware fraud totaled $10 billion in 2014, it is estimated to top at $20 billion by 2018.
Hackers are perfecting their craft, becoming more sophisticated with their malware design, which means it will be increasingly more difficult for those hit to detect that they have been breached.
Stay tuned for Part II on how to defend your data!
This content was provided by Bluefin Payment Soltuions. Bluefin Payment Systems is an integrated partner for ChiroTouch’s payment processing and one of their trusted merchant service providers.