December 2, 2016
If you aren’t in the cyber security industry, you might have missed a big news story this year. There were no explosions, no blood was shed, and no animals were dramatically rescued. Kanye West wasn’t involved either, so most mainstream news sources skipped over it. What you may have missed is that a cyber hacking group named TheDarkOverlord accessed more than 10 million medical records in various hacks and then tried to sell the information on the darknet.
Since June TheDarkOverlord has attacked several healthcare providers and now claims to have the records of millions of Americans. Initially, the group attempted to blackmail various companies, but then offered the records on the darknet in exchange for bitcoin.
Maybe you aren’t too concerned about this story, but you should be. The next hack could steal your medical records. Think about how much information is in there: your name, birth date, address, phone number, insurance details, social security and medical history. Anyone with access to that much of your personal data could easily use it against you. At the low end of the scale, you might have to deal with fraud. In some cases it is much worse, with people facing extortion and personal threats.
This isn’t even the biggest hack of health records to take place—not even close. That honor goes to Anthem, Inc, a healthcare conglomerate that was hacked in 2015. Almost 80 million people were affected, however, Anthem representatives stated that only personal information was leaked, not any medical or financial records. It’s widely assumed the information was sold to cyber criminals, but it’s hard to know how much damage has actually been done.
In September, the medical records of several US Olympic athletes were released. It is believed that Russian hackers accessed the World Anti-Doping Agency’s database through a phishing scam. Records of the Williams’ sisters, Simone Biles and Elena Delle Donne were published and it could have huge impacts on their athletic careers.
Not only are these attacks becoming more common, it also seems that healthcare companies do not have adequate security plans in place to deal with them. According to Bitglass’s Healthcare Breach Report 2016, more than 113 million medical records were compromised in 2015. Data from the Office for Civil Rights shows that there have been at least 229 breaches as of October this year.
Money. The same reason a lot of people get up in the morning. Whether it’s to pay for their mortgage or to buy something more ostentatious like a Kodiak bear, a lot of cyber criminals are targeting medical records because they are valuable. It might come as a shock to you that those X-rays you had as a kid are actually worth money. In fact, medical records can be worth hundreds of dollars on the black market.
Why, you ask? Because they can be used in many illicit ways; simple fraud (passing medical documentation off as your own), making false insurance claims, ordering prescriptions, and creating fake IDs are just few examples. This information can even be used for extortion. Let’s say a hacker stumbles across the HIV diagnosis for a very famous person or a terminal illness that a CEO is keeping hidden from the boardroom. These individuals might be willing to pay out millions to keep the information from seeing the light of day.
Health records are worth a lot more than your credit card information. This is because financial information is protected with safeguards that health records don’t have. If you lose a credit card you can get a replacement card and insurance will protect you from any financial losses—you don’t lose your money. On the other hand, medical records cannot just be replaced if they are stolen—that information is out there forever. Unfortunately, medical record theft often isn’t realized for years after the fact, which means criminals can use the information for longer than credit card numbers: they have more time to profit from the information.
Much healthcare hacking involves similar techniques that are used to target other industries. The biggest difference is that there is much more at stake when complete medical records are involved. Many of these attacks begin with phishing, something many of us have likely encountered before. The hacker sends a deceptive email to a healthcare organization hoping that personnel will divulge small bits of pertinent information needed to access medical records.
You might not want to hear this, but cyber security in the healthcare industry is bad. Really bad. In BitSight’s third annual industry report, the healthcare industry was ranked fifth in terms of their security. The only industry behind them was education, which isn’t exactly great news to hear either.
Why does healthcare have such a poor track record for information security? The first thing many blame is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Although it was an important regulatory step, it is outdated and requires no official compliance standards. Many companies have security solutions that are compliant with the act, but not necessarily safe or optimal. One key flaw of the HIPAA regulations is that they don’t require medical records to be encrypted.
In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) was brought in to help reform healthcare with a national network of records. HITECH included provisions that were meant to address some of the problems associated with HIPAA. This included mandatory reporting for organizations whose data had been breached and updated penalties for the businesses involved.
Because the realm of security and compliance was so complicated for many healthcare providers, the Health Information Trust Alliance (HITRUST) was formed by a coalition of industry members to create a framework that organizations could use for dealing with health and financial information. Some of the key players involved include Anthem, Inc, Health Care Service Corporation and Walgreens. The HITRUST Common Security Framework (CSF) covers various federal and third-party guidelines and regulations in order to help organizations ensure that they are not only compliant, but they also provide effective security.
Sometimes people don’t find out that their information has been compromised until it is much too late. Only massive thefts ever make the news and, even then, few people tend to look into them. Organizations are required to notify individuals if their information has been leaked, but it is easy for people to miss these letters or emails. Sometimes, they find out about their medical records being stolen years later when debt collectors come knocking at their door—with a bill that has been fraudulently entered in their name.
The good news is that the HITECH act of 2009 mandates that all breaches of health data that affect more than 500 people must be posted publicly. A list of the breaches can be found on the website for the Office For Civil Rights. This site includes information on the organizations that have been breached, the number of people affected and more.
Regulation for healthcare providers is a complete mess. There is a lot of overlap and even some gaps. If you are looking for a prescriptive HIPAA compliance standard, look no further than HITRUST. As a HITRUST CSF Assessor, we are here to help you establish a trust and assurance program that fits your budget and timeline.
Security is everyone’s responsibility. Contrary to popular belief, it’s often an uninformed (or overly helpful) employee that accidentally compromises your data. Our training programs are designed to educate your staff about security best practices, debunk common misconceptions, and impart general “street smarts” to help your business safe.
No matter how strong your defenses are, an attack can always break through. When it does, it’s important to be prepared. In the healthcare space, any delay to recovery is the difference between life and death.
Each business is different. Some might need advice and expertise, while others require people and skills. We can be your team—or extend it—and we offer 24/7 network and security operation centers should you need them. Combating cyber attacks means that you need to stay vigilant, particularly in the health industry.