Personal health information in the wrong hands can be painful

Cyber criminals are, among other things, adaptable

Credit card data isn't quite the mother lode it once was for cyber thieves. Not only is its useful life generally brief, it also isn't worth as much as it used to be.

But cyber criminals are, among other things, adaptable. As Daniel Berger, CEO of Redspin puts it, "hackers are bad guys but good economists." So they simply turn to something that provides a bigger bang for the buck.

And that, increasingly, is the data you voluntarily turn over to doctors, hospitals and health insurers, known as PHI, or Personal Health Information.

The Identity Theft Resource Center reported in January that of reported breaches, the healthcare sector had the most for three years in a row, with 42.5% of the total in 2014.

According to multiple reports, the PHI of nearly 120 million Americans has been compromised since the 2009 Breach Notification Rule took effect as part of the federal Health Information Technology for Economic and Clinical Health (HITECH) Act.

The large majority of those 80 million are from a single breach, of health insurance giant Anthem in January of this year. But there have been others in the millions: Community Health Systems reported 4.5 million records compromised from April to June 2014, and Premera Blue Cross reported this past March on a breach of 11 million records.

The most obvious reason is that it is more valuable. The Associated Press reported earlier this year that medical data fetch up to10 times the price that stolen credit cards do in cyber crime marketplaces, for a number of reasons:

  • A credit card can be quickly canceled and replaced. PHI your name, age, gender, address, Social Security number, diagnosis codes, insurance information and personal medical history can't be changed.
  • Credit card data are basically good only for retail purchases. But PHI can be used to create fake IDs to buy medical equipment or drugs and to file fraudulent insurance claims.

"A stolen credit card number may help a person net a few thousand in fraudulent charges," said Christopher Frenz, director of IT infrastructure at Interfaith Medical Center, "but a stolen insurance identity could net someone a heart bypass costing in the hundreds of thousands."

Such detailed personal data can make targeted email or spear phishing attacks easier and more effective. And intimate, private and potentially embarrassing medical information could be used for espionage or blackmail.

It is "rich data," in the words of Morris Panner, CEO of DICOM Grid. "Physicians want to treat the whole person, and that means having a lot of data," he said. "Then add all the credit and insurance information necessary for billing and reimbursement."

Besides being more valuable, it is relatively easy to get. Gary Davis, in a recent post on the McAfee blog, called it, "low-hanging fruit for hackers."

Most experts agree, even though in recent years there has been a greater awareness of the need for security of medical data. Both the federal Health Insurance Portability and Accountability Act (HIPAA) and HITECH mandate security policies, controls and other protections.

Martin Fisher, an information security manager for an Atlanta-based hospital system, said that those laws, along with, "enhanced enforcement by the OCR (Office for Civil Rights), has made a difference. I think the constant bar-raising and the willingness to impose large fines is moving the industry in the right direction," he said.

Still, he believes, "the state of security of PHI is where credit card data was five years ago."

And there are multiple reasons why making it more secure will not be a simple thing:

  • Like most information, it is increasingly digitized. In the past, a thief might make off with a hundred folders by breaking into an office. Now, millions of records are accessible on healthcare networks.
  • There is more of it. Millions more people are covered by health insurance. Panner also points to, "new and innovative sources of health information, whether that is fitness tracker data or rich genomic data."
  • It needs to be available immediately in an emergency. "Do you want your grandmother's allergen information requiring complex passwords in the emergency room while she's going into shock?" Fisher asked.
  • It is intended to be shared. The so-called "Meaningful Use" rule that is part of the Medicaid EHR (Electronic Health Record) incentive program requires that PHI be shared with other providers.

"We don't have good trust methods set up for that yet," Fisher said.

Panner agrees. "Health information has a strange paradox," he said. "You want it to be private from most people, yet when you require care, you want a lot of people to see it, really fast. You just want it to be the right people at the right time. That is a very tough workflow, and nothing similar exists in the retail or financial world."

  • Patient access they are given their information to take with them on USB thumb drives or DVDs, to be downloaded elsewhere.
  • More of it is online. There are portals that allow patients to access their medical records from home. The goal is to give patients more involvement in their own care and thereby improve clinical outcomes.

But Frenz noted that, "done insecurely, a patient portal is an easily exploitable public facing doorway into a healthcare institution's EHR system."

Frenz stressed that his opinions are not necessarily those of his employer, and that they reflect his view of the healthcare industry as a whole, not any specific organization.

But he said besides the Meaningful Use rule, the medical field has seen, "increasing adoption of PACS (Picture Archiving and Communication System) for radiology departments, the widespread adoption of mobile devices by many physicians, and an ever-increasing amount of medical equipment becoming network enabled."

He said these are all aimed at improving care, but that many organizations, "rolled out these technologies without being able to devote as many resources to the information security aspects of things as they could the patient-care aspects."

Indeed, the drive for improved patient care, while obviously laudable, tends to leave security as the proverbial afterthought.

"There is a tension for many providers," Fisher said. "Do we spend on security, which can be big dollars, or do we buy a new clinical device like an MRI? Many healthcare CISOs do not know how to tie the mission and needs of security to the core mission of the provider, and lose that argument every single time."

Berger sees the same thing. "PHI is anything but protected,'" he said, noting that spending in the healthcare industry on security, "is very low compared to other industries that rely on sensitive data."

He doesn't see rapid improvement on the horizon either, even with more awareness and tougher regulation. "The overall ecosystem may get better in the future but the glaciers may melt before that can happen," he said.

That doesn't mean nothing can be done before the glaciers melt, however.

Berger said, for starters, "PHI should be considered an asset within organizations and be treated as such in the overall governance and risk management process."

Fisher agreed. "Understand that security is a crucial part of patient safety and quality of care and prioritize security that way," he said.

He also urged organizations to focus on what many experts call basic security hygiene. "Patch and maintain your machines," he said. "Do good user access management. Pick a framework, do your required security risk assessment and then relentlessly work the remediation plan.

Panner said government should play a more active, and modern, role. HIPAA, he said, which became law in 1996, "wasn't designed for an Internet and cloud-enabled health system. We can and should do better."

And Frenz emphasized that it takes people as well as technology to improve security. "Establishing a culture of security is very important get employees to understand that security is the responsibility of every employee and not just IT or people with the word security in their title," he said.

"This will not only help to mitigate issues from human error or social engineering attacks, but will also make other control initiatives more palatable to employees, since they will have a better understanding of the rationale behind the control."

Join the CSO newsletter!

Error: Please check your email address.

Tags Anthemcyber attacksespionagesecurity

More about Technology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place