By: Stanley Louissaint
Data breaches are one of the biggest threats and concerns today for an individual. There are two industries where these threats have impacted individuals the most — healthcare and retail. Does either one of these industries pose a greater threat than the other? I think so.
Retailers have a history of being lax in their security protocols as it pertains to protecting customer information. The primary objective of a retailer is to sell more goods to the consumer. A method used to facilitate that goal is by offering customers as many payment options as possible. For a majority of stores these payment options include utilizing a major brand credit card, a store card, check, and/or cash.
The primary data target of breaches, as it pertains to retailers, is typically not customer information but their major brand credit card information. The value lies in the ability to make purchases before the credit card company has a chance to figure out what’s going on.
After the credit card information is stolen from a retailer things often move rapidly. Cybercriminals proceed to sell this information to other criminals who will then make physical credit cards out of this information and go on a buying spree with your money. Once the threat is detected, usually by the credit card company, all the affected accounts are deactivated. The customers are then issued new credit cards to replace the compromised ones and they are offered some sort of free identity protection service.
In addition, there have been instances where customer information, such as email addresses, has also been stolen. The purpose behind this is that phishing attacks can be carried out, for the senders can disguise their email to be from a retailer that you have previously done business with. This type of breach requires more effort to cultivate the data and get the customer to willingly give up the information by being fooled. Well is there an easier way? Yes, healthcare.
Healthcare poses the biggest data breach threat. The value of the target is higher in healthcare organizations as a patient record is a treasure trove of information that contains highly sensitive data about an individual. Patient records include things such as name, address, date of birth, social security number, health insurance billing information, employer data, health history, credit card numbers, and even a photograph in some instances.
The underground cybercriminal exchanges can fetch between 10 to 20 times more money for patient data than consumers credit card information. Unfortunately, there is also another added benefit for cybercriminals which is that there is typically a long delay in the detection of the fraud. It is up to the patient, the provider and/or health insurance company to realize that there is a problem.
But what else can be done with this information? A data breach that occurs within a healthcare organization poses far greater risks because of the single fact that the cybercriminal has all the pertinent information to actually pose as that individual.
A criminal can actually utilize your benefits as if it was their own and bill your health insurance carrier for procedures that you never had done. Criminal networks run deep and reach many elements of life and because of that, some providers will knowingly bill these accounts for services that were never provided. There have even been instances where diseases or illness that people have never had, show up in their medical records which can affect the patient care you receive.
Even more alarming is the ability to pretend to be you, and open up credit accounts in your name. We all know the importance of credit in this country and having patient data stolen is another way in which identity theft can occur.
While both retail and healthcare industries remain vulnerable, one remains to stand out as the biggest data breach threat, healthcare. As retailers struggle to fix their issues and secure their systems, the credit card companies already have systems in place to protect the consumer from fraudulent card activity. Soon after they are alerted your credit account is deactivated and a new card is sent out to you, minimizing the impact. But when it comes to patient data the information that is contained within a medical providers database cannot be so easily changed. You will not get a new name, social security number, date of birth or health history. This information can be used to target an individual over and over again with little to no recourse. For those of us who work in either of these verticals it is important that we remember that our job is not only to protect our client but to protect each and every customer or patient that conducts business with them.
Originally published on Business Solutions Magazine