By Rick Kam, President and Co-founder, ID Experts
rick.kam@idexpertscorp.com
Healthcare information is everywhere today, and it’s a boon to patients and providers alike. Electronic health records allow a primary care physician to quickly send information and consult with a specialist, or send the patients copies of their own records. Information flows quickly from healthcare providers to payers, speeding processing. Health information exchanges (HIEs) allow doctors to securely share patient information and allow healthcare agencies to track and respond to emerging health threats and to analyze outcomes in search of improved treatment options. Cloud computing helps lower IT costs for healthcare organizations and concentrate on their primary mission. And now a universe of devices from tablet computers to medical implants and even Fitbits and Apple watches are recording health data and transmitting it over the Internet. (One of the latest is a medical scanner that was designed to emulate the medical tricorders on Star Trek, but this tiny, sleek device makes the ones on the Starship Enterprise look like something from the era of vacuum tubes.) But the news is not all rosy: the digitization of medical data has created new risks.
The downside of medical data everywhere is that medical data is everywhere; and presents a huge attack surface for cyber-thieves. And as fast as futuristic medical capabilities are advancing, cyber-attackers are advancing just as fast. A recent Ponemon Institute survey reported that 2.3 million adult patients were victims of medical identity theft in 2014, and the victims spent an average of $13,500 trying to restore their credit, pay off fraudulent medical claims, and clean up their health records.
Sobering as these figures are, consider that in March 2015, the Washington Post reported the U.S. Department of Health and Human Services (HHS) figures showing that the protected health information (PHI) of more than 120 million Americans had been compromised in data breaches since 2009. Since then has come news of the Excellus BlueCross BlueShield data breach affecting 10.5 million people; the Premera breach (exposing up to 11 million people); and the Office of Program Management breach (affecting up to 21.5 million people). In total, the PHI of as much as half the U.S. population has been compromised, leading anyone to wonder why there were only 2.3 million victims of identity theft and fraud in 2014, and how many more thefts are undiscovered or are yet to come. With all of its health benefits, free-flowing healthcare data has also created a ticking time bomb of risk to patients and medical organizations.
Tip of the Iceberg
The healthcare data breaches in the news these days are the results of cyber-attacks. What is the motive behind these attacks, and what is happening to these medical records? There are a number of answers.
A large part of the medical computing infrastructure is devoted to paying for services, so when cyber-attackers steal medical identities, their goal may be simply to monetize financial information, and healthcare providers may be simply an easier means to that end. In a MedPage Today interview earlier this year, Dwayne Melancon, chief technology officer with Tripwire, points out that the healthcare industry is ahead of retail but not yet as sophisticated as the financial industry in protecting data. As described in the recent article on the economics of cyber-crime, the growth of the Dark Web has provided a ready market for thieves selling financial and other personal information, including medical records, so cyber-attackers may be simply turning to additional sources for financial information.
Financial records can be monetized quickly, but medical records can take longer to exploit. If a person is seeking medical treatment using another person’s information, they need to be sure the provider doesn’t already know the real patient and that the stolen identity matches them well enough that the fraud won’t be detected immediately. (For example, one would hope that if a pregnant Hispanic woman sought neo-natal care using the identity of a senior white male, someone would notice the fraud.) Many medical providers are now requiring photo ID at the time of service, so would-be fraudsters may also need to purchase falsified documents and other information before using a stolen ID. All of these take time, so much of the stolen medical information in criminal hands now may be stored for future use
But paying for medical services is not the only motivation for healthcare data breaches. Personal health details could also be used for phishing attacks. Just think if parents of terminally ill children received calls naming their doctors by name and saying their child had been recommended for a promising clinical trial. Health issues are emotional, and people may not be as cautious as they might otherwise be.
Cyber-attackers could also use some of the stolen data for extortion. For example, if there were information that a public figure or someone in a key position in business or government didn’t want made public, thieves could demand money or pressure that person to reveal anything from network passwords to industrial or state secrets. After the announcement of the UCLA breach in July, UCLA Health said that its systems are under “near-constant” attacks, mostly from sources in China and Eastern Europe. In an eSecurity Planet article on the breach, Jeff Hill, channel manager at STEALTHbits Technologies, speculated that part of the motivation for attacking an LA-based health system is in finding personal health information on celebrities that could be held for ransom or sold to news organizations. He points out that “The most private and potentially embarrassing information about all of us can be found in our medical records, and they often sit exposed on the vulnerable networks of myriad hospitals, clinics, insurance companies, etc.”
Digging Deeper
There are myriad possibilities for using PHI stolen in large-scale cyber-attacks, and many more when you include the complex web of mobile computers, medical devices, and cloud computing services that make up today’s medical computing infrastructure. No wonder so many patient records have been compromised. And, as Tripwire’s Dwayne Melancon pointed out, not all of these situations are avoidable. He says, “There is a tendency to say a company didn’t know what they were doing. That is not always the case…In a lot of those cases it isn’t negligence, it’s just something people could not foresee. If they were taking reasonable measures and still got compromised, it may be that they had well-resourced, determined attackers, and any organization could be vulnerable to that.”
While no organization can thwart every possible attack, neither can any organization afford to ignore the threat posed by the increasing exposure of medical data in new places and on new devices. As Dan Munro writes in Forbes, “The value of health data also transcends the technical means used to manage and protect it. “ Among the reasons to be concerned, he states that “Privacy may well be dead, but trust isn’t and [patient] trust is finite. Medical data is lifelong and has serious clinical consequences—along with financial ones.”
When PHI is exposed, patient lives and the provider’s business can hang in the balance. HIPAA also requires risk analysis, so all these risks also need to be figured into an organization’s risk profile and addressed. Decision-makers in healthcare organizations, from privacy and compliance staff to IT and the governing board need to understand the new and fast-emerging threats.
[bctt tweet=”Medical Data Everywhere: Health Revolution or Time Bomb? @rickkam” via=”no”]