The popularity of personal health information (PHI) is increasing among hackers, and its value continues to escalate on the black market. Medical information is especially enticing for hackers because it includes personal details such as height and eye colour that can be used to create fake identities. According to a recent FBI presentation, stolen health insurance information fetched a price of $60-70 (£42-49) on the black market, as opposed to less than a dollar for a Social Security Number.
Rampant security hacks are impacting the bottom line of healthcare organisations. The Ponemon Institute states that more than 90 per cent of hospitals and healthcare facilities in its annual study had suffered a data breach (costing an average of more than $2.1m [£1.5m] per organisation); and 40 per cent had had five or more over the past two years. This trend is expected to continue. An IDC Health Insights report predicts 1 in 3 health records will be breached in 2016.
Digitisation of medical records increases the risk
Electronic systems that store patients' prior health conditions, medications, and symptoms enables physicians to share important information about their patient’s medical history with different hospitals, HMOs, healthcare providers, and pharmaceutical companies. However, digitised medical information is also more susceptible to theft.
Some of the data is leaked by methods as simple as email exchanges. An employee can send an email to the wrong person by accident and the data is inadvertently leaked. Other times emails are intercepted and hacked. Now with social engineering, hackers are becoming cleverer and are impersonating patients and sending messages requesting employees to divulge additional personal healthcare information. Often these fake emails include malware or links to malware which trick employees and enable hackers to take over their computers giving them full access to all their personal information including medical data.
The various third parties that have access to personal healthcare information also increases the risk. All of the companies that provide services to hospitals including IT consulting, medical equipment, lab services etc. have access to clinical data, increasing the risk of data leakage.
Cloud services used for backup, and to share oversized files, can also be hacked. This includes popular services such as Dropbox as well as private cloud services. In addition, any hosted application that includes medical data such as calendar systems, email accounts, and emergency medical response systems can be compromised.
Taking steps to protect healthcare data
Due to the many ways that electronic medical information can be shared or accessed, healthcare organisations must take extra measures to protect all these information flows. This includes analysing how data is sent between all the different stakeholders and all the different apps, cloud services, databases, and email servers. Each transfer of information needs to be checked and confirmed to prevent data loss, but all of these inspections should be done in a way that is the most transparent to the user.
In addition, any systems implemented to secure data exchanges should be readily accessible and easy to use. If the system is complicated to use, or requires the recipient to download software, employees will bypass the systems and send the information without any type of protection or security. Often data is hacked because in-house systems to send large files securely are difficult to use, so without understanding the security risk employees send using Dropbox or find other simpler non-secured methods to send the data.
The investment in analysing every type of data exchange is well worth it. If confidential medical records end up in the wrong hands the consequences can be very damaging. A breach of medical records could lead to identity theft, where victims could seek litigation against the healthcare organisation where the breach occurred. If the breach affected multiple patients, the practice is headed down a nightmarish long road of litigation with an equally disastrous loss of trust.
Organisations must protect personal healthcare information and comply with regulatory requirements, while allowing practitioners to gain the fast access to data necessary to provide superior patient care. By securing all the different ways that data can be exchanged (e.g. secure email), healthcare organisations have a better chance of keeping their medical information safe, and ensuring they don’t become victim to healthcare fraud.
Eitan Bremler, Vice President Products and Marketing, Safe-T