It emerged Friday evening that UCLA Health System has been the victim of a criminal cyber attack affecting 4.5 million patients. The attackers accessed a computer network that contains personal and medical information.
Please see below for comments from Bromium, Lancope and OPSWAT.
Clinton Karr, senior security strategist, Bromium
“Healthcare information security is in critical condition. We have seen report after report of millions upon millions of records breached this year. According to the Department of Health and Human services, more than 120 million people have been compromised in more than 1,110 separate breaches since 2009 – a third of the US population. These data breaches are symptomatic of a failure of healthcare organizations to invest in preventative measures, such as threat isolation.”
Gavin Reid, VP of threat intelligence, Lancope
"This is another in a long series of recently discovered compromises to medical institutions Carefirst, Anthem, Bluecross and now the UCLA HS. At this point we probably have more breached medical databases than ones that haven’t been compromised. The problem is that no one wants to spend additional money - and at hospitals you better be spending that money on a new medical equipment or something that saves lives. The hospitals have budgetary needs that impact directly on patient care and lets face it real-life-death situations (better staff, better equipment). The move from paper records in filing cabinets locked away in rooms to online accessible record keeping has been fueled by cost savings and by the increase in medical hardware/software that can take feeds of this data and update automatically. Hospitals have mass adopted online record keeping but haven’t seen themselves as a target like a bank. The medical industry as a whole has to up its game in security maturity especially basics like patching, security controls and incident detection and response.

1) Why is this growing?

Three reasons:

Large scale attacks to hospital patient records data bases along with areas that are doing medical research can be extremely valuable source data for pharmaceutical and other medical research. Some medical offices have unique patient records & histories spanning years that could never be recreated and have a huge research value. Secondly the patient records themselves often have very complete PII (Personal Identifying Information) sets that are easily used in more common data theft scenarios. The last and increasingly common one is where medical identity theft is used to create fraudulent insurance claims using a stolen identity.

2) What can be done to stop it?

The medical industry as a whole has to up its game in security maturity especially basics like patching, security controls and incident detection.

3) What can a consumer do to protect him/herself?

Limit who has your personal data when possible – share only with trusted providers that have a need to know. Be vigilant if you ever come across a medical bill in your name that covers services you didn’t receive – even if there is no associated bill or charge."

Adam Winn, senior product manager, OPSWAT
While many are (deservedly!) pointing fingers at UCLA for not encrypting their data, few are focusing on a serious misperception by UCLA about the impact of this breach. From the LA Times article, “The hackers gained access to names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information like patient diagnoses and procedures. Atkinson said at this point it doesn’t appear credit card and other financial information was accessed.” Whether or not credit card data was stolen is nearly irrelevant to the victims of the breach. The data stolen is more than sufficient to commit identity fraud and Medicare fraud, additionally the detailed information contained in these records will enable cybercriminals to launch very effective spear phishing campaigns against the victims and their friends and family.