With the drastic increase in Cyber Crime, the healthcare industry is a potential target for data hungry hackers. Patient safety may not directly relate to data security, but an individual’s personal health information includes everything from their address, private medical records to credit card information. Approximately 29.3 million patient health records have been compromised in a HIPAA data breach since 2009, according to healthcare IT security firm Redspin. In this article, we will be trying to figure out how hackers turn these hacked healthcare data to cash in the cyber underworld or black market.
Introduction
It took a health insurance company almost a year to notify some 1.1 million of its members that their personal data had been swiped by hackers. In another incident, more than 80 million health data was stolen from Anthem breach because of a network server hack. In 15 months from January 2014 into March 2015, the healthcare industry had 15 separate major breaches of protected health information that affected well over 100,000 individuals.
Now, why are hackers behind the health data of an individual or a patient? What can be gained from such data? According to a report by the Aberdeen Group, it costs about $500 per patient, depending on who is buying. Health care companies experienced a 72% increase in cyberattacks between 2013 and 2014.
Cost of Stolen data
More and more health data are showing up in the dark web. One cannot simply delete or change their birthdate or social security numbers. Stolen patient health records can fetch as much as $363 per record, according to data from the Ponemon Institute, which is more than any other piece of data from any other industry.
There have been more than 270 public disclosures of large health data breaches. “These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links,” said Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas. While stolen credit card numbers tend to be sold for a few dollars or even quarters, a set of Medicare ID numbers for 10 beneficiaries found online by Greg Virign, CEO of the security company RedJack, was being sold for 22 bitcoins, or about $4,700.
These records are used for identity theft and can be classified as following:
- Credentials: Name, date of birth, contract or group number, type of insurance plan, deductible and co-pay formation, insurer contact information for claims and customer service. Another $20 each is available for associated dental, vision, or chiropractic plans.
- Complete electronic dossier or Fullz: An electronic dossier of credentials for an individual compiled and packaged with other Personally Identifiable Information (PII). Fullz are worth more because they take time to compile but facilitate the identify theft process for the black market purchaser. They may include everything in the credentials package above plus address, phone numbers, email address with password, social security number or employer ID number, bank account information, online banking credentials, and credit card information.
- Finished kit of phony ID and credential documents or Kitz: Includes custom-manufactured physical credentials and documentation related to the identity information from Fullz. It becomes a complete identity theft kit and may include fake versions of the victim’s insurance card, social security card, driver’s license and credit cards.
Hacking is not the only means through which medical information are compromised, sometimes healthcare workers steal data, while in other cases, friends or family members use a person’s health insurance information to obtain fraudulent or fake medical claims.
Under estimating the healthcare data security
Many healthcare organizations do not perform encryption of records within the internal networks. They also do not use encryption of data at rest and transit. This interest the hackers since the attack surface area is very huge. Health insurance information can be used to purchase drugs or medical equipment, which are then resold illegally, or even to get medical care. The latter can have consequences that go far beyond the financial.
Ken Westin, security analyst at Tripwire said, “In general, healthcare organizations are not prepared for the level of sophistication associated with the attacks that will be coming at them. It’s no surprise that several organizations have been targeted and compromised. Vulnerabilities that are endemic within an industry through common tools, frameworks, data storage/sharing methods or business processes.” Maybe the wrong assumption that the hackers are only interested in financial data and perimeter firewalls would stop any kind of external attacks. Such wrong assumptions by healthcare organizations result in absence of application security and encryption of data. The Health Insurance Portability and Accountability Act (HIPAA) addresses a number of patient privacy issues but doesn’t require encryption of people’s data.
Why is Patient Health Information (PHI) considered more valuable than financial data?
In the world of black market, medical information has a higher value than a credit card information. One reason medical data is coveted by thieves is that it has more lasting value than other types of information. Once the bad guys get their hands on it, it’s difficult for the victim to do anything to protect themselves. While a stolen credit card can be cancelled and fraudulent charges disputed, the process for resolving medical ID theft is not as straightforward.
Hospitals and insurers usually don’t have a clear process for fixing errors on someone’s health record or for helping patients cope with the other consequences of identity theft. “Unlike credit card numbers, healthcare information is non recoverable, and potentially lethal in the wrong hands” Robert Hansen, the vice president of WhiteHat Security, told the Christian Science Monitor. Banks have stepped up their online security in the recent years by incorporating better secure transactions and transfers while many health insurers and hospitals have not taken security seriously.
Twenty-one percent of doctors said they believed their cybersecurity was below average, while 8 percent of IT workers and administrators had the same view. A Ponemon Institute report indicates cyber criminals have increased their attacks on healthcare 125 percent, costing the industry $6 billion annually. Recently UCLA Health System data breach affected 4.5 million patients. The unusual activity was detected on October 2014 and an investigation from FBI confirmed a hack on 5th of May 2015. The exfiltrated servers contained names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures. “Despite these painful lessons, it seems that personal data compromised in the latest breach were still not encrypted,” said Igor Baikalov, chief scientist at Securonix, a data security firm in Los Angeles.
Regulatory compliance program for Electronic Health Records (EHR)
A regulatory compliance program requires some level of central coordination. It supports gathering controls and testing information, developing a common set of control objectives, and coordinating efforts to meet multiple regulations. Typically, a new or updated regulation or other requirements (such as PCI compliance) are followed by new corporate and departmental policies and procedures. Eventually, these policy and procedure documents begin to overlap, resulting in redundancies such as a HIPAA policy and a separate PCI policy that address the same controls and requirements, increasing complexity and confusion. It is more practical to create one Access Control Policy or one Password Management Policy, for example, that meets both HIPAA and PCI requirements.
Electronic health record systems are designed to store data accurately and to capture the state of a patient across time. It eliminates the need to track down a patient’s previous paper medical records and assists in ensuring data is accurate and legible. It can reduce risk of data replication, as there is only one modifiable file, which means the file is more likely up to date, and decreases risk of lost paperwork. Some organizations still look at compliance as a check-the-box, document-and-audit exercise. However, more mature organizations realize that they need to take a risk-based approach as a way to focus their resources on areas with the highest risks. We should also note that compliance may be a key focus of the healthcare industry, but that hasn’t always translated into secure environments. The newly revised HIPAA Security Rule requires providers to assess the security of their databases, applications, and systems that contain patient data against a list of 75 specific security controls. These controls include specific safeguards to be in place for protecting PHI.
View the original content and more from this author here: http://ift.tt/1JKB97c
from health IT caucus http://ift.tt/1DLszTr
via IFTTT
No comments:
Post a Comment