By Nazar Tymoshyk, SoftServe
Imagine coming home and finding out that someone has broken into your house, but nothing tangible seems to have been stolen. Health care data hacking attacks are on the rise, and they engender this very feeling. When health care data has been stolen, many victims find out too late or not at all.
Two major problems with health care data hacking, mentioned by the 2014 Bitglass report:
- Today’s health care organizations are not set up to identify illicit records activity and are therefore unable to eliminate it
- Healthy patients may not learn about a breach until they have a reason to seek treatment, which is the most stressful time to have to deal with such a problem
It can be misleading to think a hacker’s sole purpose is to harm patients, when actually this is just an extremely unpleasant side effect of criminal business. Medical identity theft can cause difficulties like lost insurance coverage, mixed up records, higher premiums, medical harm and false diagnosis. But the reason healthcare data hacking exists is that there’s a lucrative market for the data, and a working supply-and-demand model with both buyers and sellers.
Experts suggest that electronic health records have 50 times the black market value of credit card details. And as cyber criminals find the dirty business model works on a large scale, the illicit health data business becomes increasingly rewarding for them.
According to the ITRC Breach List (a record of U.S. data breach incidents tracked since 2005), the medical/health care sector topped the list with 42.5 percent of breaches identified for 2014.
But why is this market working so well? Who is operating in the market? How does it work, what could stop it, and why do all organizations involved in health care need to understand the underlying structure in order to fight it?
These are the questions technology companies and health care organizations, as well as patients themselves, need to find answers for.
The Dark Web
On the dark Web — content on the World Wide Web which is not indexed by standard search engines — many activities are hidden, providing a marketplace to trade stolen data. Once the data is accessed, hackers are not involved in generating the cash; instead, it is the job of self-proclaimed Illegal data brokers, handling large databases of stolen health information and selling access to identity thieves.
The Ponemon Institute explains in its annual Cost of Data Breach Study that health care breaches are the most costly among all data types, with an average cost per organization as high as $363 per stolen health record. Dave Kennedy, a health care security expert at TrustedSEC, says in an interview with Reuters that hospitals generally have low levels of security, so it is relatively easy for hackers to get large amounts of personal data for medical fraud. Hospitals, in short, are an easy target.
Breach Discovery and Disclosure
One of the problems with health data, compared to financial data hacking, is that while consumers will immediately find out whether a financial account is compromised when checking their banking account, in health care it’s not so immediately obvious that a breach has taken place. Adam Goslin at Total Compliance Tracking explains in an online tech webinar on health care security vulnerabilities that health data breaches not only go unidentified for months, but are often never actually discovered.
Reuters’ investigation suggests that health care related identity theft may give the criminals behind the scenes enough time — sometimes years — to make money out of a patient’s credentials. This can be a huge advantage over credit card theft, where cards are quickly cancelled by banks when the fraud is discovered.
Even when a breach is discovered, it isn’t always made public. Adam Levin, founder and chairman of IDT911, explains that many breaches fly under the radar each day as “many institutions … prefer to avoid the financial dislocation, liability and loss of goodwill that comes with disclosure and notification.”
How Is Health Care Data Used?
Hacked health care data can be used for medical identity theft. The financial impact on patients can be significant. The Ponemon Institute calculates that the average out-of-pocket loss per victim of medical identity theft could amount to $18,660. The stolen data can be used by criminals to make claims on behalf of a patient or to allow criminals to purchase expensive medical equipment.
How to Stop Health Data Hacking?
Unfortunately, there is no single answer to how to stop this trade. Instead, there’s a booklet full of suggestions. The Bitglass report explains that there could be increasing issues associated with the use of cloud-based email among health care organizations. Also, health care data is thought to be increasingly pervasive; data can be found on patients’ and doctors’ smartphones, health trackers, as well as in the cloud.
Ryan Witt at Fortinet explains that, “Patient data lives in countless systems in hospitals, medical practices, devices, insurance companies and even HR databases that often include legacy software, purpose-built hardware, troubled insurance exchanges and more.”
Ultimately, the lack of investment in security by many health care providers, coupled with the time taken to identify and respond to health care data breaches, is offering a jackpot to hackers. Together, investment in robust security measures and the ability to quickly identify breaches would make it much harder to access the data and reduce its market value, leading to a significant decrease in demand.
In the end, a too simplistic vision of how to stop cyber attacks may not pay off. Instead, understanding the drivers and intentions of criminals within the stolen health data market, combined with more effective data security measures, could offer the most effective and affordable strategies.
Nazar Tymoshyk is an IT security and network infrastructure expert working for SoftServe, a software and application development company. He specializes in many security disciplines, including computer forensics, malware analysis, intrusion detection and mobile application security assessments. Nazar holds a Ph.D. in Information Security from the State University, Lviv Polytechnics and is the chapter leader of the OWASP in Lviv, Ukraine. He is a regular contributor to the SoftServe United blog.