The healthcare industry is a prime target for hackers and lacks “top-tier” cyber defenses, Richard Bejtlich, chief security strategist at cyber firm FireEye, told lawmakers during a House Energy Subcommittee on Oversight and Investigations hearing Tuesday.
In light of the massive breach at health insurer Anthem that exposed nearly 80 million customers’ data, Rep. Gene GreenRaymond (Gene) Eugene GreenBottom line Texas New Members 2019 Two Democrats become first Texas Latinas to serve in Congress MORE (D-Texas) wanted to know whether the healthcare sector was at a higher risk of cyberattacks because of weak security.
“There’s definitely an issue there,” Bejtlich replied.
Healthcare is one of the few industries with long-standing federal data security regulations — the 1996 Health Insurance Portability and Accountability Act (HIPPA).
But Bejtlich said healthcare companies have not reached the level of security seen in the financial and defense sectors.
And the information healthcare companies guard is exponentially more valuable to hackers, Bejtlich told lawmakers.
Credit cards go for anywhere from $1 to $10 on the black market, while a full medical record, including a Social Security number, can fetch $300, he said.
“Clearly that information is more valuable,” Bejtlich added.
The security expert said Eastern European criminal groups have been known to “trade for that information because it is so durable."
And he warned lawmakers that the stolen data could be used to commit Medicare and Medicaid fraud.
As Congress considers new cybersecurity legislation, including measures that would create nationwide data security standards, it is unclear whether already regulated industries would be exempted.
Lawmakers saw Tuesday’s hearing as simply “a good scene setter for our future hearings,” as Subcommittee Ranking Member Diana DeGette (D-Colo.) put it, as they weigh the issues.
In addition to Anthem, major financial firm JPMorgan Chase exposed 76 million customer accounts after its systems were infiltrated last year. The financial sector is also subject to data security regulations.