Health Care Point-of-Sale Breaches a Rising Concern: Verizon

Cyber-crime impacts point-of-sale systems in health care and other industries, and organizations should focus their security efforts in this area, Verizon warned.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Financially motivated cyber-crime was a key part of 75 percent of the incidents in Verizon's 2013 Data Breach Investigations Report (DBIR), released on April 23.

Health care organizations are in danger of these types of breaches for copayment and credit card transactions, according to Suzanne Widup, senior analyst on the Verizon Risk Team and an author of the report.

The study found that 37 percent of the security breaches occurred in financial organizations and retail environments while restaurants suffered 24 percent of the incidents.

"We find that the health care breaches act a lot like retail breaches in as much as that it's the organized crime groups going after the payment chain, so they're looking for the credit cards and the Social Security numbers they can turn into money," Widup told eWEEK.

Hackers in health care are more interested in attacking payment point-of-sale systems than actual electronic health records (EHRs), according to Widup. "The health care area is very used to the patient-privacy aspect of securing the data and may not be paying too much attention to their payment systems," she said.

In addition to payments for care, security breaches also involve transactions at hospital gift shops and cafeterias, she noted.

Despite an interest by cyber-criminals in payment systems, patient data is still at risk, Widup said.

"The risk is ... they still may go after patient data, so there still could be a reportable breach in that data type even though that may not have been the initial data interest to the people coming in to steal it," she said.

"Most cyber-criminals are more interested in accessing your bank account and applying for loans in your name than they are the details of your last medical exam," Verizon stated in its October 2012 report on how cyber-threats affect health care and other verticals.

With the final omnibus rule for the Health Insurance Portability and Accountability Act (HIPAA) requiring risk assessments, health care organizations need to determine their level of preparation for financial attacks, Widup suggested.

"You need to look at where your own risk is and know your attacker," Widup said. If organizations such as health systems are vulnerable to attackers with financial motivation, then they need to strengthen their defenses for payment and billing systems, she added.

Logging systems are also a key tool for warding off financial attackers, Widup noted.

Health care organizations need to "make sure they're paying attention to what those logs are saying so that if there's evidence of something that's going on, they can act on it quickly," she said.

Organizations should have adequate logging systems so they can piece together the circumstances of incidents quickly, Widup said.

Staying current with software vendor patches is also important to avoid cyber-crimes in health care and other industries. "If you've applied the vendor patch, then you're no longer vulnerable," according to Widup.

In an October snapshot of verticals, Verizon noted that health care breaches mainly affected smaller practices and were part of insurance fraud schemes.

POS terminals accounted for 64 percent of compromised health care assets compared with 38 percent of desktops or workstations, Verizon reported in October.

To guard against POS attacks, health care organizations should change their administrative passwords on POS systems often. In addition, avoid using POS systems to browse the Web, Verizon reported in its health care snapshot.

A provider's POS application should be compliant with the Payment Card Industry (PCI) Data Security Standard (DSS), Verizon said.