What's the difference between data theft from a bank account versus a healthcare record? For starters, think of theft from a bank account as the equivalent of a single withdrawal; one and done. Sooner than later it's discovered, a new account number is issued and, as a hacker, you're effectively cut off. When it comes to a healthcare record, however, think of it as an annuity, something you can continue to cash in on because, unlike a bank record, you simply can't change your medical history. A healthcare record will continue to pay dividends for a hacker as long as they want it to.
The Damage Done
In the latter case in particular, there's no shortage of money to be made. In fact, Accenture recently estimated cyber attacks will cost hospitals more than $305 billion through 2020 with one in 13 patients expected to have their data compromised by a breach.
But the damage doesn't stop there. A study by the Brooking Institution projects that one in four data breaches this year will occur within healthcare, and since late 2009, the PHI of more than 155 million Americans has been exposed. Of course, this doesn't take into consideration the multiple instances of ransomware attacks plaguing healthcare institutions in recent months that the FBI sent a warning about.
In recent news, one hacker reportedly placed upwards of 650,000 healthcare records for sale on the dark web. With price points for those databases ranging from $100,000 to $411,000 - and each of those records available for use and reuse by hackers into perpetuity - the analogy to a stolen healthcare record as an annuity isn't very far off the mark.
The Regulatory Environment, Other Vulnerabilities Exposed
Much like a culture growing in a Petri dish, the combination of industry regulation and a myriad of state-specific laws have produced the perfect environment for hackers to breach these records. In fact, to comply with these requirements, many hospitals often store patient PHI for years on end. If you do the math, the possibility of a data breach can only increase based on the amount and length of time it is stored.
Moreover, the majority of healthcare organizations have failed to satisfy even basic security practices. These include disabling concurrent login to multiple devices. enforcing strong authentication, and isolating critical devices and medical data storing servers from a direct internet connection. In the 2016 RSA Cybersecurity Poverty Index it reported that just 27% of healthcare respondents rated themselves as having "developed or advantaged" cybersecurity maturity and practices, including incident response and risk identification.
This is only further complicated by the Internet of Things. For example, if a device is connected to the Internet (e.g. a heart monitor or similar device that allows a patient to remotely upload their conditions to their provider at daily intervals), an attacker could then remotely connect to it and use it as a gateway to breach network security.
There is no single solution or technology on the market today to solve the problem, but going back to basics is a start. Especially with stringent requirements from HIPAA, HITECH, and the EU Data Protection Directives, healthcare providers need solutions that minimize risk; detect, investigate and respond to advanced threats; confirm and manage identities; and ultimately, prevent identity theft, fraud, and cybercrime.
Employee education is one area that is underrated. While we can't have employees paranoid every email attachment they open may include a potential gateway for hackers into the network, we must train them on these types of threats, the potential damage it can cause and the dangers of opening emails or their attachments, even when they're addressed personally to them. It's like preventative medicine in a way.
While information sharing across the healthcare industry has been bolstered with the passage of the Cybersecurity Information Sharing Act (CISA) in December 2015, it's still up to individuals in the healthcare environment to mitigate external threats both in the short and long-term by reporting suspicious emails to supervisors and thinking of their environment as an ongoing target.
Learn more by following: @RSAFraud
Author: Angel Grant, CISSP
Category: RSA Point of View, Blog Post
Keywords: Anti-Fraud, Cybercrime, Cybercrime and Fraud, Cybersecurity Poverty Index, Healthcare, Malware, Phishing, Ransomware