How health history is more valuable to hackers than your credit card information

By Kelly Yee

A recent article stated that medical records could be sold for up to 20 times more than credit card information on the black market. There are various factors as to why consumers' medical information has become so valuable. This article considers those factors as well as some precautions medical providers can take to better protect themselves against malicious threats.

The first thing that needs to be addressed is why hackers prefer to buy and sell medical records versus credit card information.

If we start with credit card information, we need to address the question of how much a thief can profit from stealing a credit card? Sometimes zero, maybe a few thousand dollars if he or she is lucky. The fraud detection software that credit card companies deploy is so sophisticated that any attempt to purchase say a TV, in a state the victim has never been to, is flagged and rejected immediately. There are whole departments dedicated to try to track the thief, so that any loss in revenue by the credit card company is minimized. In other words, when it comes to stolen credit card information, there is a low reward for a moderate risk.

Now, take medical records. Most of us probably don't understand why our medical history is valuable. Why does it matter who knows our medical history?

But, in reality, in a thief's mind the real question is "who would be interested in paying the most for the medical information I have?" The answer lies with medical providers.

The advent of electronic records management has created a landscape where a thief could steal batches (tens of thousands) or patient records in one fell swoop. One of the original goals of electronic records management was to provide seamless access to an individual's medical records to many. This way, multiple departments and specialties could all have access to a singular account of a patient's medical history. This is great for a hospital where different departments need to communicate with one another. From a security standpoint, however, there are now multiple access points too. Electronic records are very useful in one sense as they help with efficiency, document management and overall accountability, but with anything that has multiple points of entry, there is now more vulnerability to malicious use.

HIPPA compliancy is also another area of consideration as it also attributes in some way to the increased value of medical records on the black market. HIPPA is a federal protection act that medical providers must adhere to. HIPPA protects a patient’s information, which also has security safeguards. Any violation by the medical providers or employees could be pursued by a court of law, criminally and civilly. Simply put, under HIPAA, medical providers are federally required to keep patient’s information safe.

Finally, reputation must also be taken into account when considering the value of health records. In the medical community, medical providers get the majority of their business from referral and reputation. A breach in security or any unprofessional act by a medical provider could cost them several patients and therefore business.

Now let’s look at all of the factors together. Electronic records allow thieves the ability to extract thousands of patients’ records in one attack. Medical providers are federally required to keep patient’s information safe through HIPPA. Any violation of HIPPA alone could cost the medical provider millions. Any known breach of patients’ information would negatively affect the provider’s reputation, from both a patient and partner level. This means that millions of dollars and perhaps the medical provider’s existence could be at stake. In other words when taking into consideration factors like the storage of electronic records, HIPAA compliancy and a medical provider’s reputation; when it comes to medical health data there is a high reward for moderate risk for hackers.

Fortunately, security has become a main topic for medical providers and the electronic records management vendors that support them.   Security features like the ones Penango offers where email is encrypted and authenticated is beginning to be the norm. Two-factor authentication is also becoming the norm. This is when the user will need to know a password and have access to the token that generates the time-varying code. While it is easy to figure out or skim passwords for most user accounts, getting access to the token is much harder, and an attacker would have to steal the user’s phone or physical key fob. All these options can help reduce the risk of an attack. 

http://betanews.com/2014/11/03/how-health-history-is-more-valuable-to-hackers-than-your-credit-card-information/

Online ads are attacking you

By Jose Pagliery
October 15, 2014: 3:37 PM ET
NEW YORK (CNNMoney)

An especially sneaky type of hack is on the rise. Hackers can infect your computer by piggybacking on Web ads--even on trusted websites.

Hackers are slipping malware into legitimate-looking online advertisements. When you visit sites that serve those ads, you're automatically and unknowingly downloading computer viruses. 

"Malvertising" has hit Amazon, Answers.com, Dictionary.com, Examiner.com, The Jerusalem Post, Last.fm, The Pirate Bay, The Times of Israel, Yahoo, and YouTube this year. 

And it's blowing up. The number of malicious ads has nearly doubled every year since 2011, according to data from security firm RiskIQ. Its researchers have discovered 432,374 of them so far this year. 

"The ad tech industry recognizes this is a serious problem," said Geir Magnusson, CTO of online ad platform AppNexus.

Malvertising makes up a microscopic fraction of the 5 trillion online ads displayed each year in the US alone, according to trackers at comScore. But that's still half a million times our computers could get infected. 

Hackers have used malvertising to steal bank account information and lock up files to hold them for ransom.

A major concern now is that hackers are getting smarter at launching attacks that slip past security scanners -- and are customized to specifically attack you.

Online ad networks allow advertisers to know your physical location, Web history, and what kind of browser, device or operating system you use. Hackers are leveraging this to make ads that only deliver malware under specific circumstances.

If the malware exploits a bug in Windows XP, it won't appear if you use Windows 7. It might only target retirees in Florida on weekdays. That's why malvertisements don't always raise alarms. They won't appear for every scanner.

Hackers also take advantage of a vulnerability in the way online ads are bought and sold. When you navigate to a website, a complex negotiation between advertisers occurs in a matter of milliseconds. The highest-bidding advertiser can show you an ad -- or go back to the market and see if there's an even higher bidder somewhere out there -- all in half a second.

The box reserved for advertising on a website might redirect you to a dozen different computer servers before it finally loads the ad. That's how hackers go unnoticed: The first package of data they send seems fine, but they eventually redirect you to a server that spits out malware. They set up deceptive servers to trick ad networks and consumers alike.

"The ecosystem is optimized to get the right ad displayed at the right time at the highest price," said RiskIQ CEO Elias Manousos. "It was never built to stop fraud."

The system's complexity makes it harder to crack down. When Times of Israel was hit with malvertising in September, it took 14 hours to figure out what ad agency was unwittingly passing along the bad ads, according to Jess Dolgin, whose J Media firm serves as the news website's advertising department.

The advertising industry does take steps to protect the public. For example, AppNexuspays dozens of its staff in New York and India to monitor actual ads all day long. And a special software program, dubbed Sherlock, spots those that violate company policy.

Sherlock catches 35 malicious ads a week. But AppNexus serves 30 billion ads a day. Sherlock can't scan them all -- that would delay display time by minutes. Cybersecurity provider Bromium recently concluded the most thorough solution -- rigorous approval of 100% of ads -- is just not possible for the ad industry.

"There are limits to what you can do in milliseconds," said John Clyman, senior director of security at The Rubicon Project (RUBI), an ad exchange.

So how can you avoid malvertising?

The bare minimum: Don't click on ads, especially if they say something like, "Danger! You need to upgrade your antivirus!" And malware-laced ads can look like authentic car or movie commercials.

Minimize exposure: Always update your operating system, apps and Web browser (including plugins, like Java). Up-to-date antivirus programs will catch some malware -- but not all.

Go all the way: Use something like AdBlock, which stops all advertisements from appearing. But pages designed to look good with ads suddenly look horrendous. And worst of all, this chokes off the main revenue stream for publishers, like CNNMoney or your favorite blog.

Ad companies are also clamping down on each other. AppNexus has a three-strike policy before it suspends business with an ad agency. Security researchers suggest an ad industry honor system that universally revokes privileges. You spew malware, you're out. But the problem is so widespread that sounds untenable too.

"It would be interesting to see if anyone would be left standing," Dolgin said.

http://money.cnn.com/2014/10/15/technology/security/malvertising/