In the world of cybersecurity, the healthcare industry is under siege. A Google search for ” healthcare breach ” now yields about 28,000,000 results , where a Google news search returns 100,000 news articles. Stolen healthcare insurance credentials are like a significant other to a hacker and may reveal things we would prefer to keep private and hidden. In 2015, healthcare data breach victims appear to be adrift with little or no protection or navigation.
“The risk for ongoing data exfiltration, theft and subsequent HIPAA (Health Insurance Portability and Accountability Act) violations has never been higher.” -Moshe Ben-Simon, Electronic Health Reporter
The 2015 Ponemon Institute Benchmark Study on Privacy and Security of Healthcare Data1 stated that data breaches could be costing the healthcare industry approximately $6 billion dollars. More than 90 percent of the respondents surveyed lost data, and 40 percent had more than five data breaches within a two year period. Compared to five years ago, criminal attacks on healthcare organizations are up a whopping 125 percent and are now the leading cause of data breaches. Unfortunately, only 40 percent of the organizations surveyed were concerned about cyber attacks.
Wall of Shame
Since 2009, the Health and Human Services (HHS) Office for Civil Rights (OCR) has published all data breaches that involve 500 individuals or more online at The U.S. Department of Health and Human Services Breach Portal . This section of the HHS website is known to the healthcare industry as the infamous “Wall of Shame.”
HHS definitions 2
- Health plan: Any individual or group plan (or combination) that provides, or pays for the cost, of medical care.
- Health provider: Any person or organization that is paid for health care in the normal course of business.
I performed a filtered query using the advanced search feature for unsecured protected health information (PHI) for a 2 year period:
The Health Plan category returned 80 records of which 13 records affected more than 50,000 individuals with the primary location of the hacked data on network servers and hacking/it incidents as the most popular mode of entry into the network. One server was stolen.
The Healthcare Provider category returned 364 records of which 17 records affected more than 50,000 individuals. Network servers, desktop computers, other portable electronic devices, and paper/films with the top 3 modes of entry via hacking/IT incident, unauthorized access/disclosure, and theft.
Two years ago Dell Secureworks reported that underground marketplaces were selling individual healthcare insurance credentials for $20 each that included “names (more than one for spouse & family coverage), date(s) of birth, contract number, group number, type of plan (Individual/Group, HMO/PPO, deductible and copay information), and insurer contact information for customer service and filing claims.”
With all of the paranoia going on in the marketplace since the Silk Road bust, hackers have become more insidious and secretive with their marketing techniques and the sale of stolen healthcare data. Seasoned hackers conduct sales behind closed doors via private encrypted messages or make other stealth arrangements. They are sensitive to the underground markets that are teeming with security researchers and law enforcement (LE), so they tend to pay due diligence to anonymity and consistently tighten up their OPSEC (operational security) practices.
To the hackers, the data is merely numbers and codes. But there are real people victimized by data breaches. For example:
“Taylor” is a popular keynote speaker in his industry and suffers bouts of severe depression and is in therapy for self-harming behaviors; his wife “Jamie” works for a Fortune 500 company and has been in treatment for bulimia for 18 months. Both husband and wife believed that their medical conditions were private and only shared between their treatment team, electronic medical records (EMR), and themselves. Not anymore. If data is the new currency, the bad guys appear to be winning.
The Winner Takes All
Though stolen credit card data still flourishes in the underground marketplace, it has a short shelf life and the vendors are aware that stolen cards will immediately be canceled once the bank detects fraud. On the contrary, stolen medical credentials are a whole different ballgame. Medical identity theft can go undetected for weeks, months, and even years. Many victims are unaware that their medical records have been breached until they receive a bill from the hospital or are harassed by a debt collector. The trickery rarely stops at this junction because the victim may have a combined medical history with the thief now.
The value behind stolen healthcare data
- There are many opportunities for fraud when data is combined with a social security number; birthdate; health history, etc.
- The data can be sold to uninsured buyers who can then file false claims using the policy ID number with fake provider number.
- The thieves can file fraudulent insurance claims.
- The data can be used as a precursor for identity theft.
- Thieves can use the data to open up new credit accounts.
- The victims can be targeted for phishing email and ransomware.
- The thieves can obtain prescription medication to resell on the blackmarket.
- It can take years for this type of breach to be identified.
- Underground demand for personal health data is far more valuable than credit card data.
- Thieves could also use extortion as a tool to threaten policyholders with medical disclosure.
- Victims could be stalked.
The threat cyberthreat landscape is changing at an ominous pace. As the healthcare industry continues to transition to EMR and data breaches grow more difficult to detect, healthcare providers must make security requisite. Caring for patients means securing their PHI now.
In my next article I will share what vulnerabilities you should be looking for in your healthcare environment and tips to increase information security.
1 ID Experts.”Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data.” Ponemon Institute© Research Report 2015. Web. 11, August 2015. https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcare-data
2 U.S. Health & Human Services.”Entities Covered by the HIPAA Privacy Rule 2003. Web. 13, August 2015. http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/coveredentities.pdf
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site Power More.Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.