Guest post by Alex Horan is the senior product manager at CORE Security.
In 2012 we saw an increasing number of health breaches across the country – and across continents. We saw an employee’s lost laptop turn into a healthcare records breach of more than 2,000 sensitive medical records of Boston Children’s Hospital patients. We heard how one weak password allowed a hacker to access the Utah Department of Technology Services’ server and steal approximately 780,000 patients’ health and personal information. We even read about Russian hackers encrypting thousands of patient health records and holding the information for ransom for thousands of dollars.
Healthcare fraud or medical identity theft put both individuals and healthcare organizations at huge and severe risk. Since 2010, Ponemon Institute has annually benchmarked the progressing and evolving issues of patient privacy and security. The third annual study, released in December 2012, found that healthcare organizations still face an uphill battle in their efforts to stop and reduce the loss or theft of protected health information (PHI) and patient records. What’s more, data breaches can have severe economic consequences – and the repercussion costs are only climbing. The study estimates the average price tag for dealing with breaches has increased from $2.1 million in 2010 to $2.4 million in 2012. The report projects that the economic impact of continuous breaches and medical identity theft could be as high as $7 billion annually, for the healthcare industry alone.
So why is the healthcare industry and medical information such hot targets for hackers? Why is patient health information so valuable? To put it simply, the records that hospitals and medical practices hold tell a person’s entire life story. Think of it like a treasure map; only this time it’s a road map to your life.
Let’s begin with personal risk. People more commonly fear that their credit card or bank information will be stolen or compromised. While certainly a hassle, the risk can be quickly contained. With a few phone calls to the business or financial institution and generally any potential problems are cleared up – the fraudulent charges are canceled and a new card is issued. In fact, fraud monitoring and data protection has now become a mainstream service for most financial institutions.
Health records, on the other hand, are another story entirely. First off, medical identity theft is much more difficult to detect. And second, these records contain some of the most valuable personal information — social security numbers, insurance records, birth dates, family details, billing information, transactional history and of course, a detailed medical history. Most of this information is stored in back office applications of healthcare IT across a complex network of players – insurance payment systems, admit and discharge applications of hospitals, medical laboratories of various types. To add to the complexity, because of the widespread adoption and implementation of electronic medical records (EHRs), most of these files are in both paper and electronic form – particularly at a primary care physician or specialist’s office.
Similar to any other business, hackers are looking for the most “bang for their buck.” This myriad relational view of data is a gold mine for hackers. In gaining access to a person’s health records, a hacker has – in one fell swoop – acquired almost full reign of a person’s identity. Not to mention, a stolen medical ID number and record currently sells on the black market for $50, whereas a stolen credit card number is only worth $1. Whether the hacker is looking to perpetrate medical identity theft for immediate financial gain or prolonged fraud against the medical establishment, the demand for medical history and identifiable information in healthcare far outstrips other industries.
There are three overarching risks involved in healthcare breaches and medical identity theft:
1. Health risk: There is serious health risk involved when a medical record is polluted or merged with someone else’s medical prescriptions or lab procedures. The Ponemon Institute study revealed that the effect of medical identity theft could prove to be fatal. For example, incorrect blood type or prescription information could cause life-threatening complications at the point of treatment.
2. Financial risk: During a data breach, medical files and billing and insurance records and the most likely patient data to be lost or stolen. However, this is followed by the risk of financial identity theft since healthcare organizations also often hold credit and bank records. There are issues of “denial of service” or “denial of claim” often associated with medical identity theft. This is when a person uses someone else’s medical record to obtain or bill for medical goods or services. For example, a patient would not be able to get the recommended therapy following surgery because a clinic they never visited claimed their insurance benefits had been maxed out.
3. Reputational risk: A person’s health information and medical records contain private or sensitive information that we often do not want in the public domain. Think about mental health, depression, alcohol or substance abuse. Such information still has a huge stigma in our society and can cause reputational harm. Such breached information can come up in an employment background check, CORI report, etc. What’s worse, imagine when a health record is polluted by someone else’s medical history – patients may be wrongfully penalized based on information not even pertaining to them.
There are also serious repercussions for healthcare providers and payer organizations following a security breach. The costs of such fraud either from IT security hacking, physical theft or outright carelessness are quite daunting. According to the most recent Ponemon Institute study, the economic impact of one or more data breaches for healthcare organizations ranges from less than $10,000 to more than $1 million over a two-year period.
Add the mix the omnibus Health Insurance Portability and Accountability Act (HIPAA) and HITECH regulations, created to confront the very issue of stolen medical information.
When HIPAA was first enacted, the maximum penalty for a HIPAA violation was $250,000. The final rule on Privacy, Security, Enforcement and Breach Notification Rules were just recently issued in mid-January 2013. Now, the maximum penalty is $1.5 million. Fines as well as criminal penalties can be imposed on the violating institution and the individuals involved.
Still, all is not lost for healthcare providers and payer organizations. HIPAA and HITECH regulations also offer lucrative financial incentives to meet privacy and security guidelines outlined in the legislation. The new EHR adoption and migrations as well as related IT transformations offer the perfect opportunity for healthcare organizations to get their security house in order.
Ultimately, the latest string of healthcare data breaches and subsequent heightened media exposure should serve as yet another wake-up call. While the number of security threats continues to grow, the risk of a data breach can never be completely eliminated. However, a new-found commitment to security can go a long way toward reducing the risk.
Organizations can improve their security hygiene with a few of the following best practices:
• Implement password guidelines
• Deploy a prioritized security, privacy and vulnerability assess management
• Effectively pinpoint exact vulnerabilities by targeting key systems, applications and processes which involve patient data
• Proactively ensure awareness against social engineering
• Establish clear policies on data storage and encryption
Following these best practices can keep your patient data secure and protected against hackers. Risk-savvy organizations who are consistent, proactive and predictive in their security programs are the silent winners in the battle to protect patient data.
Alex Horan is the senior product manager at CORE Security, where he responsible for the CORE Impact Professional vulnerability assessment and testing solution. During his nearly 10 years at the company Horan has led Support, Systems Engineering and Training. He has more than 15 years of experience working within the IT security industry, covering both software and hardware. As a result he brings a deep knowledge and understanding of vulnerability assessment and penetration testing, as well as systems and network administration and auditing to his work at CORE. Horan has previously worked for mid- and large-sized companies helping to design and maintain their security posture.