In the dark corners of the internet, medical records are a hot commodity, and with millions of peoples’ medical records up for sale they are drawing a far higher price than credit card details. Health organizations are scrambling to put the systems in place to rapidly detect and prevent attacks on this data. And they are learning lessons from other industries along the way.
Why are medical records a target?
In some cases, it’s about stealing a person’s identity — and then landing them with the bill for fraudulently obtained health care. In others, it’s about opening a new line of credit. And, in some cases, hacked medical records are used for blackmail and extortion.
Medical records contain a lot of higher sensitive personal information, which can sell for as much as $60 per record. By comparison, social security numbers are a mere $15 and stolen credit cards sell for just $1 to $3.
A growing threat
Digital health care is becoming the new normal. The telemedicine market alone is expected to be worth around $41.2 billion by 2021, up from $23 billion today. This trend is part of the reason for the spike in threats, as more third-parties enter the health supply chain.
The spread of digital health care networks means more attack points for hackers. Developers of new digital self-care and patient-wellness apps, for instance, as well as other business associates, are often from non-health backgrounds and are unlikely to understand compliance with regulations such as the Health Insurance Portability and Accountability Act (HIPAA). As a consequence, these new points of entry can be less suspecting or secure.
But the increased awareness of medical records’ value on the black market is the primary driver of emerging cyber threats.
The scale of the threat today
This isn’t hypothetical. The danger is real – and it is putting patients at risk.
As many as 80 million customers of Anthem Inc. – the Americas’ second-largest health insurance organization – had their account information compromised in the 15 months between January 2014 and March 2015. This remains the biggest medical data hack to date, but with the number of attacks continually increasing, unless the industry gets better at cyber, a worse breach could yet occur.
As of November 2017, the US Department of Health and Human Services was in the process of investigating medical data breaches affecting 17 million people, according to its regularly-updated breach portal. New breaches – and new investigations – are added every few days, with 260 added to the list from January to October 2017.
Meeting the challenges
Banks have taken major steps to crack down on identity theft. But hospitals, which have only recently transitioned from paper-based to digital systems, have far fewer protections in place.
The interconnected nature of the health ecosystem means a breach can have negative knock-on effects up and down the supply chain. The growing number of access points within the supply chain increases the breach risk, affecting all players in the health ecosystem.
Take something as simple as a blood pressure monitor for instance. Points of risk include the medical device manufacturer, the physician, the electronic health record systems used, and the insurance organization reimbursing the physician or patient. All play a role in keeping the infrastructure secure.
In ransomware cases, the thief holds the entity’s data hostage in exchange for payment. If the data is resold, health organizations must catch up fast, and use proven techniques from other industries to stop theft at every point in the black market or ransomware value chain.