Does your birthdate or social security number change? Nope. And that’s why the healthcare industry is such a ripe target for the black market.
Your medical record is extremely comprehensive and sensitive, containing a variety of personal information including your birthdate and social security number. This data can be used for identify theft and healthcare fraud. Unlike credit card numbers, you can’t simply delete or change your birthdate or social security number.
In addition to this very valuable data, there are several other factors driving the rise of the black market in the health industry:
- Sensitive medical information: Information regarding medical diagnoses and conditions is uniquely susceptible to blackmail demands.
- Rise of connected devices: IoT devices and medical monitoring devices allow for more entry points for a malicious attack.
- Widespread use of EHRs: Electronic health record systems are in use at most institutions, providing the potential for hacking. Unstructured data (dictation, imaging, scanned medical reports, etc) is another threat target.
- Use of anonymous currency: Bitcoin and similar cryptocurrency and digital payment systems allow for easier – and anonymous – payment for theft.
- Ransomware: To cope with a drop in the selling price of healthcare data, there are options beyond selling, like ransomware (holding data hostage – with a threat to release – unless payment is received). Payoff is quicker, as well.
The Bad Actor Driving the Black Market
Who is taking advantage of these factors? Increasingly, the threat is coming from insiders.
Robert Lord, cofounder of cyber security company Protenus, says “The majority of all inappropriate accesses to EHRs comes from the inside. They involve nurses or doctors, billing specialists, or administrators who have legitimate reasons for having access to systems but who abuse that access for revenge, financial gain or just plain curiosity”. In 2016, 450 breaches occurred, affecting 27 million patient records. Of those, 120 incidents resulted from outside hacking, while 200 – over 65% more – came from insider actions.
Reducing the Insider Threat
Whether negligent or malicious, the insider threat in the healthcare industry is very real.
According to Alan Kessler, CEO of Vormetric:
“Healthcare data has become one of the most desirable commodities for sale on black market sites, yet U.S. healthcare organizations are failing to secure that data. An overreliance on compliance requirements and a cursory nod to data protection point to systemic failures that are putting patient data at risk. What’s needed is for healthcare organizations to realize that compliance is not enough, and to implement the controls and policies required to put the security of their data first.”
Here are a few recommendations to protect and mitigate against insider threats:
- Provide security-awareness training to protect against the negligent insider. “You are as vulnerable as your most gullible employee,” said an executive at a provider organization during a POLITICO health IT advisory forum.
- Use multi-factor authentication. Like banks that send a text message to confirm unusual transactions, companies can also use out-of-band authentication. An Anthem breach was identified when a user suspected unauthorized access. Implementing a second factor authentication via a separate channel like mobile phones would have prevented this breach.
- Patch electronic medical devices.
- Be wise about your data. Limit access to sensitive data to only those who need it. Remove unnecessary data. Tackle device loss by encrypting data on devices. Backup your data.
- Use online monitoring software to monitor for large data transfers going out of the organization, whether by USB devices or via cloud services.
- Develop a breach response plan.
A stolen credit card is worth about $2 on the black market. A stolen medical record is worth $25 or more. “Hospitals and health systems are being held hostage to hackers,” warned one provider executive at the POLITICO forum.