Today another company had a data breach, this time Maine General Health Center details on how the hack happened haven’t been released and it almost doesn’t matter. Well it definitely matters to them, of course, and to the patients affected. Luckily though it sounds like the amount of data is limited and doesn’t include Social Security Numbers or patient data
At the end of the day if you are connected to the Internet at all, you will be compromised. I even think there is a formula
Time to get hacked = Effort to hack/usefulness of the data
So the more useful your data is and the harder it is to steal it, the longer it will take before it happens. Just to be clear, the usefulness of the data isn’t how useful it is to you, but how useful it is to the hackers.
Medical data was never that useful and everyone was interested in credit cards, or banking information, and that is still useful, but the financial institution both got harder to hack with PCI-DSS and the information became less useful since the credit card guys are pretty good about detecting fraud and either calling the cardholder or freezing the card. Of course in the case of some of the attacks there is so much data, say 1.2 Million cards, that even if the bad guys only steal $10 from each one before the card gets deactivated, that’s still 12 million bucks. Not bad money for a quick SQL injection hack.
Now though we are starting to see medical data becoming more useful. Mostly because criminals have figured out that defrauding the government programs like Medicaid is easier than trying to sneak 10k of credit card fraud past Visa or Mastercard.
It’s a pretty safe bet that they are not going to be the last medical institution to get breached.
You can’t really do much on your own to make your data less useful, though an industry can get better by sharing data and connecting systems more, like we saw with credit cards. Since they can detect fraud quicker they can stop it sooner and reduce their exposure. The data is less useful, but that took a long time before they did something.
There are a lot of rules around health care data and one could argue that it has made it harder to hack some sites, the usefulness of the data is still the same. Until we figure out how to make the data less useful, we’ll keep seeing attacks on medical data.