(Editor’s note, December 2015: while the information in this post remains relevant, 2015 could be called the year of the health care breach. During 2015 alone, approximately 1 out of every 3 Americans had some of their health care data stolen. New threats and actors have emerged and the health care data is increasingly at risk. So, both the ePHI and your money are at risk.)
The computer security risk assessment mandated by HIPAA in 45 CFR 164.308(a)(1), and also the Meaningful Use regulations, is focused on protecting the availability, integrity, and confidentiality of Protected Health Information (PHI).
There is another risk – theft of your money using your online banking credentials.
Small and medium sized organizations – businesses, non-profits and government – are the target. This includes HIPAA covered entities: hospitals, all flavors of healthcare providers, self-insured health plans and government agencies offering health-related services. The threat: crooks that want your money. The vulnerabilities include technical weaknesses on your network, unpatched software on the PC where you do your online banking, and human susceptibility to trickery. The threat agent: malicious software that hijacks your online banking credentials.
Here is how the scheme goes. Hackers cast a wide net with their malicious software, with the hope of landing on the PC of a business owner or an organization’s financial officer. The malicious software, most famously of the ZeuS family and its successors, is designed to steal the user’s online banking credentials. Once a target is infected, the crooks recruit “money mules,” often through bogus “work at home” arrangements. Then, using the financial officer’s online credentials, funds are wire transferred to the accounts of the money mules. The mules (often naive and unsuspecting individuals) withdraw the funds make irrevocable money transfers via Western Union to the masterminds, often overseas. When the fraud is detected, the banks attempt to reverse the unauthorized transactions. These reversals are not always successful.
Recent examples of healthcare victims include
Oncology Services of North Alabama, which lost $120,000,
the dental practice Smile Zone, which lost $205,000,
Orange Family Physicians, which lost $46,000 but was later reimbursed by their bank
There are variations to the basic approach. Some banks use so-called “two factor authentication” with their business banking. One example is a RSA token that displays a random number which must be entered along with the user’s strong password. This number is synchronized with software at the bank. To defeat this security measures, the malicious software might modify the web browser while the user is online, to capture the password and current token value. The screen then displays the message “System Unavailable – Try Again Later.” The token value is sent to the crooks. At this point, the crooks immediately initiate a batch of wire transfers.
The more money you have in your bank account, the greater the risk. Business accounts do not include the same protections that consumer accounts enjoy.
A recommended security measure is to use a dedicated PC for online banking. That means that on this PC there is no other web browsing, no email viewed, no other programs run, and no USB devices inserted. This eliminates most paths of infection. A second security measure is to invest in additional security awareness training for financial officer.
