Information Security Today Home

New Books

Emerging Technologies in Healthcare by Suzanne Moss Richins; ISBN 9781482262629
Impact of Healthcare Informatics on Quality of Patient Care and Health Services by Divya Srinivasan Sridhar; ISBN 9781466504875
Process Improvement with Electronic Health Records: A Stepwise Approach to Workflow and Process Management by Margret Amatayakul; ISBN 9781439872338
Information and Communication Technologies in Healthcareby Stephan Jones and Frank M. Groom; ISBN 9781439854136
The Complete Book of Data Anonymization: From Planning to Implementation by Balaji Raghunathan; ISBN 9781439877302
Guide to the De-Identification of Personal Health Information by Khaled El Emam; ISBN 9781466579064

Protecting Medical Record Data

By Lauren Sporck, Associate at OPSWAT

After a slew of data breaches in 2014, the FBI warned the healthcare industry that cyber-criminals would be directing more attention their way in 2015 [1]. The healthcare industry, valued at $3 trillion, has become an increasingly valuable target for cyber thieves and, in some cases, a much easier target to attack due to their often less than adequate investment in cyber security. What is it about the healthcare industry that has captured the cyber criminals’ interest in the last few years [2]?

Overview of Data Breaches in 2014

At the end of each year, the Identity Theft Resource Center (ITRC) produces a data breach report showing the total number of data breaches and records stolen for each industry [3]. The data is taken from credible sources, including the Attorney General's website, and includes data breaches that occurred in the year of the report or breaches that were made public in the year of the report. 2014 was a big year for data breaches in general, with a total of 761 breaches, amounting in 83,176,279 exposed records. The following industries were included in the report:

  • Credit/Financial (5.5%)
  • Business (32.7%)
  • Education (7.6%)
  • Government/Military (11.8%)
  • Healthcare (42.3%)

Of the industries represented, the healthcare industry had the highest number of total breaches in 2014: 322 out of a total of 761 breaches.

In terms of the total amount of records stolen or compromised by breaches in 2014, the business sector had the highest at 65,896,115, followed by the healthcare industry at 8,255,247 records [4]. It might be surprising that the banking industry only had 1,185,492 records stolen, especially when considering how frequently credit card fraud makes the news. It's not often that you hear about someone who had their medical record stolen.

Unfortunately, stolen medical record data is not usually reported in a timely manner; often taking years before someone discovers that the data has been compromised. Unlike stolen medical records, stolen credit card information is usually reported rather quickly, due to banks’ monitoring for suspicious account activity.

Comparing Medical Records to Credit Card Data

In order to understand why the healthcare industry is such a big target for cyber-criminals, you have to understand the value of a stolen medical record. Personal banking information is still valuable to the average cyber thief, but it doesn't have nearly as high of a payout as that of a medical record. Reuters placed a value on stolen medical information that is 10 times more than that of credit card data [5]. According to data collected from monitoring exchanges on the black market, the director of threat intelligence at PhishLabs estimates the value of stolen medical information to be around $10 per record, and that is on the low end of black market prices (see reference 7 below). Some sources claim that they can be sold for as much as $60 to $70 per record.

In the ITRC report mentioned above, of 322 reported breaches for the healthcare industry, 289 breaches resulted in confirmed quantities for the number of records stolen. The average amount of records stolen per known breach was around 28,564. If each medical record is assumed to be worth a minimum of $10, then the average payout for cyber-criminals from each breach would be at least $285,640, and that is considered to be a conservative estimate. If a record were assumed to be worth around $60-$70, then the average payout would be over $1.7 million per breach [6]. Credit card data, on the other hand is worth around $1 per record, so cyber-criminals would have to steal at least 10 times as many banking records to realize similar profits.

Medical records sell at a high price because they contain personal data such as names, addresses, social security numbers, birth dates, billing information, among other information. This information is used by cyber-criminals to create fake IDs that can be used to buy drugs that can be resold later, or to file false insurance claims using patient data [7].

Industry Spending on Cyber Security

Hospitals are often easier targets for cyber-crime because they lack the proper cyber security defenses [8]. Healthcare spending for cyber security is known to be low, compared to other regulated industries. In a 2012 report released by the Ponemon Institute, the healthcare industry listed a lack of funds as one of the main obstacles preventing them from taking the proper steps toward better data security practices [9]. ABI Research recently reported estimates that worldwide healthcare spending on cyber security will be around $10 billion by 2020 [10]. This only amounts to about 10% of the amount spent on cyber security by the critical infrastructure industry. By comparison, the financial industry is expected to spend $9.5 billion in 2015 alone [11].

We know how much cyber-criminals stand to gain from a healthcare industry data breach, but how much do these data breaches cost the companies who are affected?

With the average cost of a data breach for a company in the healthcare industry around $2 million over a two-year period [12], the case for investing in additional cyber security defenses becomes clearer.

The Problem with BYOD

One of the biggest concerns facing the healthcare industry is the increased adoption of BYOD by medical professionals. According to a recent report, 88% of healthcare organizations said they permitted employees and other medical staff to use personal devices for work purposes [13]. More than half of those same organizations claimed they did not have visibility to the security status of those BYOD devices. If organizations are not certain of the security of a device, how can they effectively protect any patient data contained therein?

Although many healthcare organizations allow medical staff to use personal devices for work purposes, their IT departments do not adequately support that use [14]. There seems to be some sort of disconnect between the Electronic Medical Record (EMR) tools that are chosen by the IT department and the willingness of medical professionals to use those tools. In a study recently released by Spyglass Consulting, 70% of physicians interviewed claimed that their IT department wasn’t making adequate progress towards supporting mobile computing and communication requirements [15].

This statistic is alarming as 96% of those same physicians claim to be using their personal smartphone for clinical communication purposes. Inefficient support of physician's mobile devices results in communication issues, which in turn leads to higher costs created by communication delays.

The healthcare industry clearly needs to find a way to integrate BYOD trends without compromising the security of devices.

Solutions for Preventing Future Breaches

With healthcare industry data breaches predicted to increase in 2015, organizations must take the proper precautions to avoid hefty fines resulting from HIPAA violations.

Multi-scanning Technology
As a requirement for HIPAA, installing an antivirus product is an important layer of protection. By choosing multi-scanning, organizations reduce the risk that that malware will enter their network; what one antivirus engine doesn’t detect another often will. Document sanitization capabilities are also useful, allowing users to prevent infections by advanced threats or zero-day attacks by converting potentially dangerous file types to remove embedded malware.

Protection of Endpoints
If devices connecting to a hospital's internal network cannot be confirmed as secure, how can organization expect to avoid a possible data breach? Proper host checking and monitoring of endpoint security status is imperative as more physicians adopt BYOD practices. This endpoint visibility challenge is unique and difficult to address while still maintaining the spirit of BYOD policies. Some MDM (Mobile Device Management) products have addressed this using techniques like containerization, but the issue is largely unaddressed for desktops and laptops.

Improved Email Security
A phishing attack is believed to be the cause of the recent Anthem breach, where stolen employee credentials were used to gain access to a secure network. In order to avoid this type of attack, the healthcare industry must invest in the proper email security software.

Industry-wide spending on cyber security remains low, despite the fact that healthcare is the largest target for cyber-criminals. If organizations in the healthcare sector want to reduce their risk of cyber-attack, they have to re-evaluate their views on security. Too often, investment in cyber security occurs after a breach has already taken place and patient data has already been compromised. If organizations find the right security tools they can protect patient data while addressing organization-wide communication issues, saving the valuable time of medical staff and avoiding the potential loss of millions in data-breach recovery costs.

References

1 Jim Finkle, "Exclusive: FBI warns healthcare sector vulnerable to cyber attacks," [Accessed March 5, 2015].
2 Mike Orcutt, "2015 Could Be the Year of the Hospital Hack," [Accessed March 5, 2015].
3 Identity Theft Resource Center, "2014 Data Breach Stats," [Accessed March 5, 2015].
4 Identity Theft Resource Center, "2014 Data Breach Category Summary," [Accessed March 5, 2015].
5 Rob Waugh, "Healthcare data worth ten times price of credit card data," [Accessed March 5, 2015].
6 Kris Van Cleave, "Anthem highlights desireability of stolen health records," [Accessed March 5, 2015].
7 Caroline Humer, "Your medical record is worth more to hackers than your credit card," [Accessed March 5, 2015].
8 Tom Murphy, "Health records are easy targets for hackers," [Accessed March 5, 2015].
9 Ponemon Institute, "2012 Cost of Cyber Crime Study," [Accessed March 5, 2015].
10 ABI Research, "Healthcare Cybersecurity a Massive Concern as Spending Set to Reach Only US $10 Billion by 2020," [Accessed March 5, 2015].
11 Cybersecurity Ventures, "Cybersecurity Market Report," [Accessed March 5, 2015].
12 Ponemon Institute, "Fourth Annual Benchmark Study on Patient Privacy & Data Security," [Accessed March 5, 2015].
13 Herb Weisbaum, "Heath care system's $5.6 billion security problem," [Accessed March 5, 2015].
14 John Comstock, "Report: Most physicians use BYOD smartphones, but lack support from hospital IT," [Accessed March 5, 2015].
15 FierceMobileIT, "Study: Hospital IT Paying LIP Service to Address Physician Mobile Requirments, Says Spyglass Consulting Group," [Accessed March 5, 2015].

 
Subscribe to
Information Security Today







Bookmark and Share


© Copyright 2015 Auerbach Publications