Healthcare data and data breaches: A second opinion:

We've barely begun 2015, yet some security predictions made at the end of last year are already being tested. One of those was a prediction by RSA that criminals will turn their attention to stealing personal health information, and the recent attack on US health insurer Anthem is just one symptom that it might be happening sooner than our initial diagnosis.

It's evident that healthcare records matter, but why? Why would a criminal be interested if you went to your local GP three times this year? What is being done to secure records? Where does Australia fit compared to other parts of the world?

Is there really an unhealthy obsession?

According to the Identity Theft Research Center 2013 report, the healthcare sector accounts for more than 44 percent of reported major data breaches -- higher than the business sector, which accounts for about 32 percent.

The increase is in part because there is regulation around healthcare incidents in the US, but there are also more reasons for criminals to steal healthcare information than the traditional credit card information that we're used to seeing, including how much they are worth.

What is healthcare data worth?

RSA has seen stolen health credentials being sold for US$10 each and includes names, birth dates, policy numbers, diagnosis codes and billing information. Although this can represent about 10 or 20 times the value of a typical US credit cards, the difference can fluctuate as batches of credit card numbers varies according to supply and demand.

For example, Asian credit cards are typically harder to obtain, increasing their value on underground markets. However, in the event of large retail breaches, the overall price of credit cards can drop significantly as the market is flooded with enough cards to meet demand.

RSA has seen credit cards sold in batches of 1000 for as little as US$50 and ranging occasionally into the low hundreds.

How does healthcare data differ from credit card information?

While credit cards are the primary form of purchasing, healthcare data is instead used for identity theft. As banks become more efficient at responding to fraud and cancelling cards, stolen credit card "freshness" becomes an important factor for thieves.

Customers can easily change or cancel their cards at the first sign of fraud, but their health data is unique to them and cannot be changed. This makes it much more valuable to criminals, but also more important for individuals to protect.

What do criminals do with the data?

Read more: 5 things all Anthem customers should do after the massive data breach

Using the healthcare data, criminals can create fake IDs to buy medical equipment or drugs they would not normally have access to. However, they can also combine a patient number with a false provider number and file made-up claims with insurers. As the claims procedure often has valid payment information already in place, or agreements are drawn up as part of employee benefits to expedite the process, criminals don't need to provide these details.

Alternatively, in a reimbursement scheme, criminals can modify payment details after stealing the individual's identity.

In a recent case, one patient in USA learned that his records were compromised only after he started receiving bills related to a heart procedure. His credentials were also used to illegally purchase a mobility scooter and several pieces of medical equipment, amounting in tens of thousands of dollars in total fraud.

What is being done to protect healthcare records?

Australia is still behind on data breach notification legislation when compared to the US. In the business sector, the stand-out example begins in California with the state's Senate Bill 24 on Data Security Breach Reporting requiring businesses or state agencies to report when Californian residents' information is involved in a security breach.

In addition, with cybersecurity issues coming to the fore recently amid nation spying accusations, the US is actively debating national legislation on top of the existing state-based provisions for data breach notification. Already, more than three quarters of professional IT body ISACA members surveyed are in favour of national legislation.

In Australia, the debate has a long history, with breach notification recommendations made as part of the Australian Law Reform Commission's review of the Privacy Act. The review began almost a decade ago, with formal recommendations made after a 28-month process, but the recommendations only began to see movement through Parliament in 2012. A 2013 report by the Office of the Australian Information Commissioner (OAIC) found in passing that "for government agencies, nearly all Australians (96%) believe that they should tell them how their personal information is stored and protected, and that they should be informed if their personal information is lost (96%). The results for private businesses are similar (95% and 96% respectively)."

Despite this, data breach notification remains a recommended action in Australia for the private sector, meaning that private health insurers are under no onus to report a breach where health records are involved. They may be found to be in breach of the Privacy Act by failing to take "reasonable steps" to protect such information, but under existing legislation cannot be penalised for remaining silent on the breach.

Read more: Anthem hack: Personal data stolen sells for 10X price of stolen credit card numbers

Mandatory data breach legislation does exist, however, for Australia's national eHealth records system formerly known as the Personally Controlled Electronic Health Record (PCEHR) system. The PCEHR Act governs over the national records system, and requires that those responsible for operating the system must inform the Australian Information Commissioner if there has been a breach.

In its 2013/14 financial year report, the OAIC revealed that it had received two mandatory breach notifications from the nation's PCEHR operator. The cause of both breaches were quickly resolved to the OAIC's satisfaction.

Are we protected?

It is encouraging to see mandatory notifications for the nation's eHealth records system forcing more focus on the protection of healthcare information. But private healthcare providers that are as yet exempt from such laws should recognise that as slow as legislation may be to reach them, the criminal threat is already here.

These organisations are, in general, poorly prepared to deal with any form of modern cyber attack. In Australia there is still a focus on adding more preventative controls and technology with the false belief that they can be set and forgotten and raise an alert when anything bad happens.

This is akin to the medieval castle adding more bricks to the perimeter wall. Attackers will come back with a bigger ladder, or a different mechanism to get over the wall. Forward-leaning security organisations have changed the way they approach cybersecurity. They have come to accept that it is likely they will get hacked -- that the attacker will eventually get over the wall.

To address this, they are instead focusing on detection and response to ensure that once someone gets over the wall, they can be quickly detected and dealt with before they are able to do any damage.

Of course, there are healthcare organisations that are leading the way in protecting their customer's data, including healthcare data, and these organisations are typically developing their security around the triad of visibility, analysis and action.

Visibility into all aspects of their environment including security logs, full network packet capture, net flow data and behavioural data from endpoints. Analysis to detect anomalies -- rather than looking for the needle in a haystack, or even the needle in a stack of needles, they can remove the hay until only the needle is left. And appropriate action to eliminate the threat.

In order to achieve this there organisations need to rebalance their priorities in prevention, detection and response to ensure that rather than just adding more technology (or bricks), the business ensures its people have the right skill sets, experience and defined processes to work through incidents as they are raised.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecurityhealthcare datadata theftdata breachdata breach notification legislationmandatory breach legislationscybercrimersahealth insurerAnthem

More about Australian Law Reform CommissionBillCustomersISACARSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Lee

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place