Financial identity theft is a pretty well-known problem; we hear often about stolen credit cards, especially as breaches litter the news almost weekly. What most of us don’t realize, however, is that medical records are valued at 20 to 50 times more than financial identities on the black market. It’s perhaps for this reason – the return on investment in cyberattacks against healthcare providers – that healthcare identity fraud is a serious rising threat.
For the past several years, the healthcare industry has been at or near the top of industries most prone to cyberattacks.
In 2013, the healthcare sector already accounted for 43% of all identity theft cases in the United States.
In 2014, medical identity theft increased by 22% from the previous year.
In 2015, three of the seven largest data breaches of the year affected healthcare companies: Excellus BlueCross BlueShield, Premera Blue Cross, and Anthem.
In 2016, there were nine times more American medical records stolen than there were financial records, for a grand total of 27 million. This was roughly 10% of the U.S. population at the time.
We could go on and on with examples – in April 2017, for instance, medical equipment supplier Airway Oxygen was hit with a ransomware attack that may have compromised the data of half a million clients. Only a month later, in May 2017, Indiana’s Medicaid unit discovered that 1.1 million patients’ information had been publicly exposed through a hyperlink since February. Later that fall, the former Secretary of the U.S. Department of Homeland Security even highlighted the cyber threat to healthcare organizations.
Putting this all together, a 2017 Accenture survey found that healthcare data breaches have affected 26% of U.S. consumers. Twenty-six percent. This an astounding figure, compounded by the fact that 50% of these individuals subsequently experienced medical identity theft. Their average cost? $2.5 thousand, out-of-pocket, per person. (Perhaps equally astounding is that 88% of respondents still trusted their health provider to maintain security– as opposed to only 57% trusting technology companies and 56% trusting the government to do the same.)
With all of these statistics in front of us, it begs the question: how do we go about combating it?
Why do hackers steal medical records?
First, it’s important to understand the incentives for stealing medical records themselves. As articulated by Robert Lord, Co-Founder and President of anti-healthcare-fraud company Protenus, “there’s a metaphorical holiday feast of enticing data served up in your average health record.” He’s of course right. Dates of birth, addresses, employment information, emergency contacts, family members, insurance plans, and Social Security Numbers are just some of the data points that can comprise a singleindividual’s medical file.
Within the healthcare industry itself, this data is incredibly useful for identity theft. Illegally obtaining prescription drugs, filing false medical insurance claims, and charging someone else for one’s own medical expenses are just some of the wide-ranging uses of stolen medical information. It’s a viable dark-web industry.
But it doesn’t end there, as this wealth of information can also be used outside the healthcare industry; financial fraud and insurance fraud are just two examples. With the breadth and depth of data these records provide, the economic incentives to steal them are enormous. Hackers have increasingly stolen medical records over the past several years, and they will only continue to do so going forward.
What do we do about it?
Social engineering is a significant component of facilitating healthcare breaches. Phishing attacks, abandoned USB drives, and sometimes direct social manipulation can all enable hackers to breach a healthcare provider’s records. For this reason, all healthcare employees need a base level of training in cybersecurity and cyber safety – training that is gamified, simulation-based, and made relevant to their specific areas of work. Just as with major tech companies, hospitals and other healthcare providers should enforce a strong security culture and make sure secure behavior is positively enforced and rewarded.
On the technical side, hospitals are notoriously cyber-insecure in their use of old machines and outdated software; it’s a central reason why the WannaCry ransomware was so successfully used against UK hospitals last year. For this reason, healthcare providers need to require software patching and vulnerability assessments as part of the business lifecycle. While the return on investment may not be immediately obvious, putting money and resources into cybersecurity is a must – particularly considering the enormous financial costs of a medical record breach.
Along this vein, strong encryption, multifactor authentication, firewalls, antivirus programs, malware removal software, and intrusion detection systems are just some of the technologies that can fight medical record breaches. Machine learning is also becoming increasingly adept at intrusion detection and threat analysis, so invest in that as well. Constantly speak to cybersecurity leaders to learn about the latest technologies, and constantly read up on the latest threats. Don’t be afraid to increase your spending on security, inside and outside your IT budget. And to this point, hire employees whose sole, full-time responsibility is cybersecurity. It’s a twenty-first century necessity.
Finally, a major source of concern for healthcare providers is the security of encryption keys and the trust of certificates – as these directly affect the security of medical records. HIPAA, HITRUST, PCI DSS, and other regulations can further complicate this issue. To this end, secure key and certificate protection is a valuable investment. Quickly identifying key misuse and increasing trust in certificates themselves will help prevent a breach. Check out how Venafi can help.