Precious Loot: Healthcare Data
In February 2015, the US health insurance Anthem Blue Cross announced the biggest data breach in the healthcare sector, even to this day. [1] Almost 80 million company records had been stolen. The hackers gained access to highly sensitive data like Social Security Numbers, birthdates and addresses. The Anthem case represents the tenacity that hackers have for healthcare data. Cyber security is a big, and fast growing challenge for the sector:
- The numbers of cyber attacks on healthcare institutions are rising sharply.
- Phishing, ransomware and skimming attacks are the most common.
- Smaller institutions get attacked more often.
- On dubious marketplaces stolen Electronic Patient Records are more valuable than stolen credit cards.
- The cyber security problem rises exponentially with the ongoing digitalisation of the healthcare sector.
Rising Data Breaches
Data breaches in the US keep rising at a rapid pace. In the first half of this year the Identity Theft Resource Center ITRC registered a rise of 40 percent compared to the first half year of 2016. [2] One in four data breaches took place in the healthcare sector, which makes healthcare the most often targeted sector after the business and before the education and the finance sector. Some Big Data experts even predict that healthcare institutions will be the centre of attention for hackers this year.[3]
“Healthcare organizations will be the most targeted sector with new, sophisticated attacks emerging.”
Experian, Data Breach Industry Forecast 2017
Targeting the Small Players
Like in other industries, cyber attacks on healthcare institutions are executed through phishing, ransomware and skimming. These common threats accounts for the majority of the attacks.
Ambulatory practices are targeted by cyber attacks very often.[4] The researchers of cybersecurity company CynergisTek assume that those small practices are prone to attacks since they lack resources necessary to invest in IT security. Hence, those smaller institutions are a easy or easier target for hackers.
How to make money from stolen Patient Record
Sophisticated criminals can make money with stolen electronic patient records (EHR) in different ways, due to the fact that EHRs contain a vast amount of personal data like names, age, address, Social Security Number, financial information and/or medical history. Following methods of extraction have been described in different articles: [5][6]
- Filing false medical claims
- Filing false tax returns
- Credit card fraud
- Blackmailing individuals
- Use ransomware against medical institutions
Therefore, the price of stolen patient data is said to be between $10-$50 in the dark web, while stolen credit card data fetches $1-$5. Though these prices seem to vary a lot by supply and demand. [7]
On the other hand, IBM Security calculates the cost for an affected healthcare institution to amount to $380 per file. [8] This compares to $225 from a compromised record on average over all business sectors.
Increasing Risk
Because of the massive data breach at Anthem Blue Cross, healthcare institutions are clearly aware of the data security. The question is, if the action taken is enough to protect their (our) data?
In my opinion the challenge is increasing at a rapid pace because of two ongoing trends. First, as Dr. Stephen Herrod from General Catalyst Partners said in his speech at Stanford University on July 21, the cyber attacks are getting more and more sophisticated. Therefore, the challenge increases. Secondly, the big data trend also has caught on in the healthcare sector. Trying to benefit from analysing vast amounts of data leads to more and more patient records getting digitalized around the globe, and more and more machines in practises and hospitals are getting connected to the internet to collect their data. The amount of data that needs to be protected increases therefore exponentially.
In the end healthcare providers have to manage the cyber security risk in a fast and effective manner. Otherwise the benefits gained from the digitalization will abolished by the cost that data breaches entail.
References:
[1] Anthem Blue Cross Media Release 6.2.2015, “Anthem Alerts Consumers to Protect Themselves from Scam Email Campaigns”.
[2] Identity Theft Resource Center, “2017 First Half Review: At Mid-Year, U.S. Data Breaches Increase at Record Pace “.
[3] Experian, “Data Breach Industry Forecast 2017”.
[4] CynergisTek, “Redspin Annual Report on the State of Cybersecurity in Healthcare”, https://cynergistek.com/cynergistek-redspin-annual-report-cybersecurity-healthcare/
[5] Clearwater Compliance LLP, https://clearwatercompliance.com/blog/move-credit-cards-stolen-medical-records-selling-record-prices-dark-web/
[6] M Yao, Forbes, “Your Electronic Medical Records can be Worth 1000s to Hackers”, https://www.forbes.com/sites/mariyayao/2017/04/14/your-electronic-medical-records-can-be-worth-1000-to-hackers/2/#483bc1a990a6
[7] Health IT Security, “Are Stole Medical Records still Worth More Than Financial Data?” https://healthitsecurity.com/news/are-stolen-medical-records-still-worth-more-than-financial-data
[8] IBM Security (2017), “Cost of Data Breach Study 2017”
Users who have LIKED this post:
6 comments on “Precious Loot: Healthcare Data”
Comments are closed.
A very interesting article! I share a lot of your opinions. In fact, in the UK a few months ago there was a large ransomware attack where patient records were withheld for money. As such, it is evident that these threats apply to massive institutions as well as smaller players. One big concern for me is that with more “small players” emerging, and greater integration of healthcare data, are we exposing ourselves even more to these kind of attacks?
Users who have LIKED this comment:
Thank you Chris for your comment! The question you are raising I think is a very important one. And the answer I think is, yes, we are exposing ourselves to more of these attacks as you described it. The solution would be that people as well as institutions grow their consciousness proportional to the amount of health data that is being stored. Unfortunately, there is an inherent distribution problem of means to invest in cyber security. The “small players” are thus more vulnerable. An approach could be pooling resources spent on cyber security by the smaller players with the objective of achieving higher security levels.
In your research did you find that these companies which were breached did not follow HIPA regulations, or ended up being fined as a result of the breach? What steps did Anthem take to prevent this from happening again?
Thank you, and great topic!!
Users who have LIKED this comment:
Dear Robert, thank you very much for your comment! You raise a good point. Healthcare institutions actually have obligation to protect data. In the US these are given by the Health Insurance Portability and Accountability Act (HIPAA). There are debates if these rules are sufficient enough to protect customer/ patient data.
In the case of Athem, the biggest data breach as mentioned in the post, a class action lawsuit followed the breach. The discussion was if HIPAA regulations were violated. The case just settled recently with Athem paying $115mio. Experts say it’s the largest settlement regarding a data breach.
Hi Samuel – The threat is very real in the healthcare sector. I have worked in healthcare technology for over 20 years and we definitely see an upswing in hacking attempts in the industry. I’m particularly concerned for the smaller providers, who don’t have sophisticated IT teams and many don’t have any dedicated security staff. I think this is something that patients should be aware of, especially those who have conditions that are usually kept private (mental illness, AIDS, etc.). I think it’s an opportunity for technology providers. Some, like Athena, offer their EMR in the cloud. Coupled with good security and thin clients at provider sites, this could reduce the risk somewhat for these smaller organizations. Security is certainly getting a lot of attention in the industry these days!
Users who have LIKED this comment:
Hi Eldon, thank you very much for commenting on my blog. I appreciate hearing your insider perspective on the problem. I agree that the security issue is getting more attention in the industry. Doing the research this for this blog, I realised this, also as an outsiders.
As you mentioned, more security solutions are being created even for smaller institutions in the industry. What I wonder if such solutions are enough or if more awareness needs to be built at the employee level of such healthcare institutions? You might know more about the mindset of the workers there.