RSA Panel: Thieves Thrive On Stolen Medical Data

"This is an upward trend," the panel moderator, James Christiansen, CISO at the Sands Corp., told the audience of security professionals. "If it's not on your radar, it should be."

High-profile examples of third-party security breaches include breaches involving payment processors Heartland Payment Systems and Global Payments. The recent breach of online customer support provider Zendesk affected users of Twitter, Tumblr and Pinterest, which use the company's platform services.

[Related: RSA Conference 2013 Coverage ]

Panelists said responding to third-party breaches is more complicated, time-consuming and costly for organizations. Christiansen said legal costs are higher, with two companies' reputations at stake, and regulators will be looking for answers.

All organizations are at risk of third-party breaches but the health-care industry is particularly vulnerable, said Christine Arevalo, director of health-care management at ID Experts.

Michael Bruemmer, vice president of Experian Data Breach Resolution, said 40 percent of all breaches Experian handles involve health-care institutions. On the black market, the value of medical identification information is 10 to 15 times greater than financial information, he said.

Bruemmer recounted a case involving a boy's stolen medical identification. A third party's office cleaner stole medical records, the boy's records among them. Someone then bought the records and used the boy's information to get medical care. That person wasn't allergic to penicillin, but the boy was. During a subsequent emergency, the boy was nearly treated with penicillin due to an update to his records based on the stolen medical information. Fortunately, the boy's mother caught the error, he said. As it turns out, the cleaner's background check was falsified.

Christiansen noted that the increase in electronic medical records has made it easier for criminals to access health-care records.

Panelists said all types of organizations should prepare for potential third-party breaches by making sure to perform ample due diligence on third parties and their security measures.

David Chavez, partner-in-charge of the San Francisco office of law firm AlvaradoSmith, said companies need to map their data, understand what is being outsourced, and draft third-party contracts with clear indemnification clauses. They also need to make sure third parties understand their legal obligations to provide breach notification, he said.

David Sockol, president and CEO of security consulting firm Emagined Security, said it's important for companies to be prepared in advance of an incident, which includes having a plan and testing it. Make sure you know who to call no matter the time of day, he said. Planning ahead is critical, because "when you're in the middle of it, it's too late," he said.

PUBLISHED FEB. 27, 2013