Skip to main content


Preparing for the Worst with an Incidence Response Plan

Every organization must have an incidence response (IR) plan that will handle preparation, identifying the start of an incident, recovering from it, restoring normal operations and support sound security policies.

With any cybersecurity incident, security teams will face uncertainties and chaotic activities. In such a high-pressure environment the risk of not following proper incidence response procedures becomes high and limiting the damage becomes elusive.  It is essential that CISOs must institute a through incidence response plan that enables clear thinking and taking pre-planned steps that will define the loss and prevent business impacts from occurring.

What makes up a sound IR plan? There are several steps when putting together an actionable IR plan, at the high-level preparation, detection, investigation, containment, eradication, recovery, and monitoring are critical fundamentals in a program.

NIST 800-61 Incidence Response Life Cycle
Getting Prepared CISOs should always pre…

Why Medical Identity Theft is Potentially Lethal

Medical identity theft has been escalating dramatically where Cybercriminals have found an industry ill-prepared to adequately protect itself from the onslaught. This article will briefly discuss the various aspects of cybercrime waged against the medical industry, the reasons for it and methods for its prevention.
The medical industry as a whole has been laggards addressing security by failing to sufficiently protect sensitive information stored on lost or stolen laptops, smartphones, and flash drives. Personal Health Information (PHI) records have been compromised where hackers have now begun threatening hospital operations of hospitals and other healthcare facilities. A recent example is the ransomware attack against Hollywood Presbyterian Medical Center in Los Angeles, CA.
Another notable example is the Advocate Medical Group in Chicago where 4 million people were directly affected. Advocate Medical Group did not notify affected patients until more than a month after the theft while stating the laptops were password protected. The lost data included social security numbers, which places the patients at higher risk of identity theft. The total number of affected individuals is eclipsed only by a 2011 incident in which 4.9 million medical records were compromised when backup tapes were reportedly stolen from an employee’s car. A subsequent class action lawsuit for the 2011 event seeks $4.9 billion compensation, $1,000 per affected person.
Healthcare providers are not the only victims, in addition to them were the massive breaches involving the healthcare insurance providers of Anthem and Premera Blue Cross where 80 million and 11 million individuals were affected respectively.

The Reasons

Cybercriminals commonly chase necessary identification information such as names, birth dates and health insurance contract and group numbers they can sell for just $20 on the black market, according to researchers at Aberdeen Group. However, the lucrative identify theft kits fetch $1,500 and far more when medical data is included that can be used to obtain prescription drugs illegally and commit insurance fraud. Many of these high-end all-inclusive kits contain PHI in addition to the social security numbers, banking credentials, credit card information and PINs. This information is used to include professionally forged and custom-made physical credentials such as insurance membership cards, social security cards, driver’s licenses, passports and credit cards. Health data is a tempting target for thieves for some reasons and has become more valuable than financial information.
Unlike the medical industry, financial institutions protect their customers from liability, they also re-issue new credit cards and monitor financial inconsistencies as red flags of fraud. Medical data, on the other hand, has lasting value since it is challenging for an individual victim to do anything about resolving it or offered legal protection. Healthcare information is nonrecoverable and potentially has lethal consequences in the wrong hands. For example, victims of medical identity theft can wind up with the thief’s health data folded into their own medical charts. A patient’s record may show a person having diabetes when they don’t or list a blood type that isn’t theirs that can lead to severe diagnoses or treatments. Adding insult to injury, a victim often can’t thoroughly examine his own records because the thief’s health data, now folded into his, are protected by medical-privacy laws such as HIPAA. More than that hospitals continue to pursue victims for payments they didn’t incur and not offered legal protection in the event of fraud.
Cybercriminals traditionally have gone after financial information from medical breaches, they typically don’t care about your medical data such as cholesterol levels, surgeries, blood laboratory results, etc. That has changed in a big way and Cybercriminals have found yet another lucrative market extracting the personal health information (PHI). This is in addition to just using a credit card or Social Security number from a medical file to commit significant financial fraud, they parse the information out to different buyers.
For instance, if a patient has cancer or another serious health issue the medical data in the record could be sold to data brokers who sell information to marketers, such as pharmaceutical companies and hospitals that want to target cancer patients. The uses for medical data become even more sophisticated where the PII could be used for visas and passports, the PHI provide the physical characteristics of a person with access to high-security systems could help criminals breach them, biometrics is one example among others. Currently, over half of the identity thefts involve family member situations where an uninsured person uses a friend or relative’s insurance identification card to obtain healthcare services.


While the financial industry has implemented security infrastructures to combat Cybercriminals, the healthcare industry is laggards. Establishing a sound security program is of critical importance with the threat of cyber attacks and breaches occurring on a daily basis. Medical provider executives, in particular, the CIOs and chief information security officers (CISO) should be given the right levels of authority and be positioned so they can have the most significant impact when it comes to security matters at a hospital or healthcare system. It must be understood the C-suite execs must do more than just meet compliance standards, but need to implement security on top of compliance approach. The following should be applied:
  • The CISO – The right individual for the position, needs to be identified and brought on board then a line of communication must be established at each level of the organization. Moreover, the CISO must be given all the authority, autonomy and resources that they need to be successful.
  • Governance and The Chain of Command – Establishment of a security governance council with crucial executive leaders along with the CISO is imperative. This council will oversee the needs linking security and compliance to executive leadership.
  • CISO and CIO Leadership – One of the toughest tasks in any medical care environment is protecting patient data while ensuring clinicians access to that data in performing their job. The CISO and CIO must partner like never before, both must ensure ownership and accountability on technology risk, proactively break down barriers between compliance and security staff while being well prepared for any cyber attacks or breaches.
Medical Identity Theft is a critical issue where victims are seldom afforded legal protection to deter financial or worse, physical harm with a potential misdiagnosis. Cybercriminals have found an identity treasure bonanza where not only can they exfiltrate PII but get PHI data all in one shot which has devastating consequences. It is also an essential realization that our consumer protection laws are inadequate to protect victims of this fraud and the medical and insurance industries must do more to protect the patients they serve.