Credit card data isn’t quite the mother lode it once was for cyber thieves. Not only is its useful life generally brief, it also isn’t worth as much as it used to be.
But cyber criminals are, among other things, adaptable. As Daniel Berger, CEO of Redspin puts it, "hackers are bad guys but good economists.” So they simply turn to something that provides a bigger bang for the buck.
And that, increasingly, is the data you voluntarily turn over to doctors, hospitals and health insurers, known as PHI, or Personal Health Information.
The Identity Theft Resource Center reported in January that of reported breaches, the healthcare sector had the most for three years in a row, with 42.5% of the total in 2014.
According to multiple reports, the PHI of nearly 120 million Americans has been compromised since the 2009 Breach Notification Rule took effect as part of the federal Health Information Technology for Economic and Clinical Health (HITECH) Act.
The large majority of those – 80 million – are from a single breach, of health insurance giant Anthem in January of this year. But there have been others in the millions: Community Health Systems reported 4.5 million records compromised from April to June 2014, and Premera Blue Cross reported this past March on a breach of 11 million records.
The most obvious reason is that it is more valuable. The Associated Press reported earlier this year that medical data fetch up to10 times the price that stolen credit cards do in cyber crime marketplaces, for a number of reasons:
- A credit card can be quickly canceled and replaced. PHI – your name, age, gender, address, Social Security number, diagnosis codes, insurance information and personal medical history – can’t be changed.
- Credit card data are basically good only for retail purchases. But PHI can be used to create fake IDs to buy medical equipment or drugs and to file fraudulent insurance claims.
“A stolen credit card number may help a person net a few thousand in fraudulent charges,” said Christopher Frenz, director of IT infrastructure at Interfaith Medical Center, “but a stolen insurance identity could net someone a heart bypass costing in the hundreds of thousands.”
Such detailed personal data can make targeted email or spear phishing attacks easier and more effective. And intimate, private and potentially embarrassing medical information could be used for espionage or blackmail.
It is “rich data,” in the words of Morris Panner, CEO of DICOM Grid. “Physicians want to treat the whole person, and that means having a lot of data,” he said. “Then add all the credit and insurance information necessary for billing and reimbursement.”
Besides being more valuable, it is relatively easy to get. Gary Davis, in a recent post on the McAfee blog, called it, “low-hanging fruit for hackers.”
Most experts agree, even though in recent years there has been a greater awareness of the need for security of medical data. Both the federal Health Insurance Portability and Accountability Act (HIPAA) and HITECH mandate security policies, controls and other protections.
[ ALSO ON CSO: Millions of records compromised in these data breaches ]
Martin Fisher, an information security manager for an Atlanta-based hospital system, said that those laws, along with, “enhanced enforcement by the OCR (Office for Civil Rights), has made a difference. I think the constant bar-raising and the willingness to impose large fines is moving the industry in the right direction,” he said.
Still, he believes, “the state of security of PHI is where credit card data was five years ago.”
And there are multiple reasons why making it more secure will not be a simple thing:
- Like most information, it is increasingly digitized. In the past, a thief might make off with a hundred folders by breaking into an office. Now, millions of records are accessible on healthcare networks.
- There is more of it. Millions more people are covered by health insurance. Panner also points to, “new and innovative sources of health information, whether that is fitness tracker data or rich genomic data.”
- It needs to be available immediately in an emergency. “Do you want your grandmother’s allergen information requiring complex passwords in the emergency room while she's going into shock?” Fisher asked.
- It is intended to be shared. The so-called “Meaningful Use” rule that is part of the Medicaid EHR (Electronic Health Record) incentive program requires that PHI be shared with other providers.
“We don't have good trust methods set up for that yet,” Fisher said.
Panner agrees. “Health information has a strange paradox,” he said. “You want it to be private from most people, yet when you require care, you want a lot of people to see it, really fast. You just want it to be the right people at the right time. That is a very tough workflow, and nothing similar exists in the retail or financial world.”
- Patient access – they are given their information to take with them on USB thumb drives or DVDs, to be downloaded elsewhere.
- More of it is online. There are portals that allow patients to access their medical records from home. The goal is to give patients more involvement in their own care and thereby improve clinical outcomes.
But Frenz noted that, “done insecurely, a patient portal is an easily exploitable public facing doorway into a healthcare institution's EHR system.”
Frenz stressed that his opinions are not necessarily those of his employer, and that they reflect his view of the healthcare industry as a whole, not any specific organization.
But he said besides the Meaningful Use rule, the medical field has seen, “increasing adoption of PACS (Picture Archiving and Communication System) for radiology departments, the widespread adoption of mobile devices by many physicians, and an ever-increasing amount of medical equipment becoming network enabled.”
He said these are all aimed at improving care, but that many organizations, “rolled out these technologies without being able to devote as many resources to the information security aspects of things as they could the patient-care aspects.”
Indeed, the drive for improved patient care, while obviously laudable, tends to leave security as the proverbial afterthought.
“There is a tension for many providers,” Fisher said. “Do we spend on security, which can be big dollars, or do we buy a new clinical device like an MRI? Many healthcare CISOs do not know how to tie the mission and needs of security to the core mission of the provider, and lose that argument every single time.”
Berger sees the same thing. “PHI is anything but ‘protected,’” he said, noting that spending in the healthcare industry on security, “is very low compared to other industries that rely on sensitive data.”
He doesn’t see rapid improvement on the horizon either, even with more awareness and tougher regulation. “The overall ecosystem may get better in the future but the glaciers may melt before that can happen,” he said.
That doesn’t mean nothing can be done before the glaciers melt, however.
Berger said, for starters, “PHI should be considered an asset within organizations and be treated as such in the overall governance and risk management process.”
Fisher agreed. “Understand that security is a crucial part of patient safety and quality of care and prioritize security that way,” he said.
He also urged organizations to focus on what many experts call basic security hygiene. “Patch and maintain your machines,” he said. “Do good user access management. Pick a framework, do your required security risk assessment and then relentlessly work the remediation plan.
Panner said government should play a more active, and modern, role. HIPAA, he said, which became law in 1996, “wasn't designed for an Internet and cloud-enabled health system. We can and should do better.”
And Frenz emphasized that it takes people as well as technology to improve security. “Establishing a culture of security is very important – get employees to understand that security is the responsibility of every employee and not just IT or people with the word security in their title,” he said.
“This will not only help to mitigate issues from human error or social engineering attacks, but will also make other control initiatives more palatable to employees, since they will have a better understanding of the rationale behind the control.”