I was thinking over the weekend about last week’s breach of the UCLA Health System and subsequent theft of 4.5 million medical records. Hackers know that medical records can fetch 10 times the dollars that a stolen credit card can, and that makes sense when you think about it. Cancelling or changing your credit card number takes one phone call to your credit card company’s 1-800 number, and with the advent of credit card fraud detection software – that phone call/email you get from your CC company when you make a purchase that seems outside your typical buying habits – the value of a stolen credit card has a very short shelf-life.
A medical record is a different animal. Most contain a Social Security Number and a date of birth. It’s fair to say that those are pretty much etched in stone. A medical record is also likely to have a phone number, an email address, a medical insurance policy number, even your employer. You get the idea. It’s a one-stop shop for bad guys to exploit just about everything about you.
In the case of the UCLA Health System breach, however, there could be some icing on the cake for the bad guys. Think about it. Celebrity compounds the attractiveness of the target in the Los Angeles area. If you’re looking to attract attention to your cause, what better way than to exploit the intersection of our voyeuristic and celebrity-obsessed culture? We love celebrity, but we love a fall from grace even more. What anti-depressants is our favorite TV star taking? How about that 2 am a visit to the Emergency Room Saturday night to treat the facial bruise? The most private and potentially embarrassing information about all of us can be found in our medical records, and they often sit exposed on the vulnerable networks of myriad hospitals, clinics, insurance companies, etc.
Sensitive information is a secret. The fewer people that have access to it, the lower the probability it will be compromised. Inevitably, to steal data, attackers exploit access. If 10 people have access to a medical record, the bad guys have to compromise one of only 10 credentials to steal it. If a thousand people have access to it, their target list just increased by two orders of magnitude.
STEALTHbits’ products provide the information and remediation tools an enterprise needs to make sure only the people that need access to data to do their jobs have it. That one step goes a long way to frustrating the bad guys after they compromise legitimate credentials…and we very much enjoy frustrating the bad guys.