If it weren’t already obvious, cybercrime is very real and security failings are seemingly unstoppable. But with the advance of wearable technology, a different type of breach is coming: the healthcare hack.
In its Data Breach Industry Forecast report for 2015, Experian states that the forthcoming year will see a persistent and growing threat of breaches in the healthcare space. According to the report, the growing value of this data and the digitization of medical records are drawing more cybercriminals to target health data.
“Healthcare organizations will need to step up their security posture and data breach preparedness or face the potential for scrutiny from federal regulators,” said Experian’s report. “Reported incidents may continue to rise as electronic medical records and consumer-generated data adds vulnerability and complexity to security considerations for the industry.”
Personally identifiable information (PII) can vary in price on online black markets, says Experian’s Michael Bruemmer, vice president of Experian’s Data Breach Resolution, but if you can add in medical data and insurance coverage information with that, the value will rise four or five fold. “It’s literally about following the money,” he says.
Throughout 2014 there have been a number of retail and financial data breaches, but healthcare data provides its own value too. “For one thing it is data rich,” says security consultant Morgan Wright, who previously testified before Congress on the security of Healthcare.gov. “So you get the person’s name, you get their date of birth, and in some places you might even get identifying information like social security or driver’s license, you get the healthcare information.”
Healthcare data can sometimes carry credit card details too, says Prem Pusuloori, CTO of OmniMD, an electronic healthcare record provider based in New York State. Pusuloori notes that it’s also more difficult to stop this kind of hack. “So while financial information can be tracked and secured following a breach, the healthcare information cannot be as easily tracked and resolved,” he adds.
You needn’t look too far for examples of medical data being leaked. Sony Pictures has seen medical data compromised amongst its troubles while 4.5 million patients were affected by the Community Health Systems breach in August. While these are some high profile examples, smaller breaches are happening all the time. Earlier this month for example, the Anchorage Community Mental Health Services was fined $150,000 under the Health Insurance Portability and Accountability Act (HIPAA) for a malware-related data breach and failing to patch its software.
“Because of the distributed nature of healthcare networks, there’s lot of ways to get in the door,” explains Bruemmer.
As the Internet of Things grows larger yet, we’re opening up new avenues for breach, whether malicious or accidental. “I think of it in terms of a simple equation. If you take data or PHI plus lots of access points, it equals an opportunity to be breached,” he adds.
We’re likely to see wearable technology flood the market even more at this year’s CES in Las Vegas, meaning more of these access points will become available.
Morgan Wright explains that at least some big companies are taking heed of the risks. “You just look at the market and see where people are putting money; they’re putting money into cybersecurity. This was not a sexy thing years ago. It used to be that they’d say you have a network and you have three things: price, speed, and security. Pick two. Security was always an afterthought,” he says.
“The theory of multiple layers of defenses seems to, over all the clients we work with, have the best effect.”
“It’s important for organizations like healthcare, where regulation is a factor in their lives, not to see compliance and security as synonymous,” adds David Emm, principal security researcher at Kaspersky Lab.
Healthcare organizations need more stringent network assessments and security tests, says Wright. And in the case of the patient, we will need to be more vigilant in asking how our data is used.
“I think patients also have to ask questions of the system the same way they ask of their healthcare professional,” he says. “Their responsibility is to make sure they ask the right questions, the same way they ask the question of a doctor and get a second opinion. You can ask questions. Who has access to this information? Why do you need a photocopy of this? You know, a better informed consumer.”
ECRI’s Top 10 Health Technology Hazards for 2015 report adds that constant updating and network testing of computers and medical devices is needed. “Unfortunately, healthcare facilities face a variety of obstacles that complicate the process of keeping medical devices up to date with the recommended operating system (OS) patches and anti-malware protections,” it reads.
It also advises that computers be fully encrypted and physically secure as there have been a number of cases of stolen or missing laptops and thumb drives containing healthcare data. “The theory of multiple layers of defenses seems to, over all the clients we work with, have the best effect,” says Bruemmer, explaining that human error and lack of staff security training can be a leading cause of data breach too.
Raj Samani, EMEA CTO at McAfee, adds that we’re now in an age where people are beginning to understand the value of any and all data, whether that’s health info, credit card numbers or just log-in details. “This data is being targeted, data is being identified, it’s being compromised, breached and it’s being sold on and it’s being sold on for an enormous profit by malicious actors out there,” says Samani, adding that getting the balance between patient care and security is vital.
“The need to implement more security and controls and so on and so forth constantly has to be put under the spotlight of that balance between patient care and usability and security.”
Photo via Daniel Mee/Flickr (CC BY 2.0)