Skip to content
Business

Health-care hackers on the prowl, KPMG study says

Computer hackers with ill will seem to be lurking around every corner, and health care is not immune. "The richness of the information means that the cybersecurity threat to health care has increased," Michael Ebert, KPMG partner and health-care leader at the firm's cyber practice, wrote in a report this week. "The magnitude of the threat against health-care information has grown exponentially, but the intention or spend in securing that information has not always followed."

    by David Sell, Inquirer Staff Writer
    Published 

Computer hackers with ill will seem to be lurking around every corner, and health care is not immune.

"The richness of the information means that the cybersecurity threat to health care has increased," Michael Ebert, KPMG partner and health-care leader at the firm's cyber practice, wrote in a report this week. "The magnitude of the threat against health-care information has grown exponentially, but the intention or spend in securing that information has not always followed."

KPMG is one of the Big Four accounting, audit, and advisory firms. Ebert works in the Philadelphia office.

Based on a survey of 223 health-care IT leaders from across the country, the report said, 81 percent of America's health-care organizations (hospitals and insurance providers for this survey) have been hit with a cyberattack in the last two years.

In the deep recesses of the Internet, sometimes referred to as the Dark Web, health-care information can trade at prices 10 times higher than credit-card or Social Security information, the KPMG report said.

Social Security numbers are cumbersome at best to change, while credit cards can be canceled very quickly. But, the KPMG report notes, health-care information is valuable because it is difficult to change - if you had a stroke, you had a stroke - and the personal details can be used for blackmail, or to commit insurance and prescription fraud.

KPMG said CEOs were much more likely to say they were "fully prepared" for a cyber attack than company information-technology personnel were.

The tricky thing for any organization is deciding when to reveal publicly that it was maliciously hacked and its information stolen. Waiting can allow the hacker more time to use the stolen information, anger customers even if they are not victimized, and potentially leave the organization liable for damages. Moving too quickly can allow hackers to better cover their tracks.

"It's important to understand the attack's total footprint and how it's spreading before shutting it down," Ebert said. "Otherwise, an organization will not be able to prevent it from spreading or properly contain the attack."

215-854-4506@phillypharma

www.philly.com/phillypharma