Data Breaches in Healthcare: The New Plague, Part 2

Last updated: 13 June 2016

The vulnerability of healthcare records.

Last time we talked about the Healthcare recordsgrowing number of healthcare breaches, with IDC’s Health Insights group predicting as many as 1 in 3 healthcare recipients could be the victim of a data breach this year. This part in the series we will take a look at why healthcare records are such a hot commodity for hackers and how this will continue to drive activity. We’ll also explore security in other countries and how their security solutions are often more advanced than other countries, including the United States.

Hackers’ hot commodity

Healthcare records are gold to hackers and thieves.  On the black market, cyber criminals can sell a partial Electronic Health Record (EHR) for about $100, compared to only about $1 for a stolen social security number or credit card number. The reason a health record is so much more valuable is it contains all your vital information, including social security number, birth date, etc. This allows thieves to potentially open a credit card account, or even bill health issuers or the government for false medical services.

In addition to the lucrative street value of health records, they also have an impressive shelf life.  With financial information, the opportunity ends as soon as the victim becomes aware of the fraud and cancels the credit card or closes the account.  With healthcare records, the information can be available on the black market for a long time.  Because the information, such as a social security number, prescription and medical history can’t be easily cancelled, the record preserves its value.  And the information can be sold and monetized in many different ways, including to buy and sell controlled medications and insurance fraud, which both have impressive markets.

The valuable nature of a patient record is the primary reason why ransomware is becoming so prevalent in healthcare.  Ransomware, where hackers encrypt network data and demand cash for the keys to unencrypt the data, is extremely disruptive, especially in the medical field where time is of the essence. Healthcare IT News and HIMSS Analytics’ recent Quick HIT Survey: Ransomware, reports as many as 75 percent of U.S. hospitals responding to a poll could have been hit with ransomware in 2015, and many were not even aware.

Healthcare security is of growing concern as breaches are expected to accelerate in coming years.  The healthcare industry has traditionally been known as lagging behind in security. In fact, many don’t go beyond complying with often outdated mandates. The 2016 HIMSS Analytics Healthcare IT Security and Risk Management Study reported only a quarter of respondents have a consistent and active risk management program.

It seems healthcare in the U.S. lags behind several, more progressive countries in Europe.  In the Netherlands, Albert Schweitzer Ziekenhuis (ASZ) treats more than 500,000 patients every year at its main hospital and system of outpatient clinics.  This hospital is a good example of an organization that successfully balances security and convenience.  With more than 4,000 staff members, ASZ uses one-time password tokens with a cloud-based authentication server. This ensures the security and privacy of patient information, but gives physicians and caretakers the access they need to relevant medical documentation whether in or outside of the hospital building. Read more how ASZ protects access to medical documentation.

Sweden is another progressive country when it comes to security and privacy of patient records.  SITHS is the initiative in Sweden that uses smart card to identify employees in health and social care and ensures security with login and digital signatures.  The core requirement is to strengthen the healthcare practitioner’s digital identity with two-factor authentication based on smart cards, improving patient safety and protecting personal privacy.  Healthcare workers use their SITHS card to login to the National Patient Overview, a portal that allows for all patient records to be maintained online.  Currently 100% of all documentation in primary care is now Electronic Healthcare Records (EHR). In addition, more than 95% of all pharmaceutical prescriptions in Sweden are issued and transferred electronically as ePrescriptions. Take a look at Sweden’s digital healthcare offering.

Now that we’re finally getting knowledgeable about securing patient records electronically comes the mobile movement. Physicians and other caretakers want to use mobile devices to conveniently move from patient to patient without being attached to an in-facility network computer. In The New Plague part 3, we’ll take a look at how to prepare for the next challenge in healthcare security—mobile.

Leave a Reply

Your email address will not be published. Required fields are marked *