8 minutos de lectura 15 may. 2018
man hoodie sitting floor laptop

Why health care is a favored target for cybercriminals

Por EY Global

Ernst & Young Global Ltd.

8 minutos de lectura 15 may. 2018

An increasing awareness of the value of medical records is driving the illicit sale of information online.

In the dark corners of the internet, medical records are a hot commodity, and with millions of peoples’ medical records up for sale they are drawing a far higher price than credit card details. Health organizations are scrambling to put the systems in place to rapidly detect and prevent attacks on this data. And they are learning lessons from other industries along the way.

Why are medical records a target?

In some cases, it’s about stealing a person’s identity — and then landing them with the bill for fraudulently obtained health care. In others, it’s about opening a new line of credit. And, in some cases, hacked medical records are used for blackmail and extortion.

Medical records contain a lot of higher sensitive personal information, which can sell for as much as $60 per record. By comparison, social security numbers are a mere $15 and stolen credit cards sell for just $1 to $3.

A growing threat

Digital health care is becoming the new normal. The telemedicine market alone is expected to be worth around $41.2 billion by 2021, up from $23 billion today. This trend is part of the reason for the spike in threats, as more third-parties enter the health supply chain.

The spread of digital health care networks means more attack points for hackers. Developers of new digital self-care and patient-wellness apps, for instance, as well as other business associates, are often from non-health backgrounds and are unlikely to understand compliance with regulations such as the Health Insurance Portability and Accountability Act (HIPAA). As a consequence, these new points of entry can be less suspecting or secure.

But the increased awareness of medical records’ value on the black market is the primary driver of emerging cyber threats.

The scale of the threat today

This isn’t hypothetical. The danger is real – and it is putting patients at risk.

As many as 80 million customers of Anthem Inc. – the Americas’ second-largest health insurance organization – had their account information compromised in the 15 months between January 2014 and March 2015. This remains the biggest medical data hack to date, but with the number of attacks continually increasing, unless the industry gets better at cyber, a worse breach could yet occur.

As of November 2017, the US Department of Health and Human Services was in the process of investigating medical data breaches affecting 17 million people, according to its regularly-updated breach portal. New breaches – and new investigations – are added every few days, with 260 added to the list from January to October 2017.

Meeting the challenges

Banks have taken major steps to crack down on identity theft. But hospitals, which have only recently transitioned from paper-based to digital systems, have far fewer protections in place.

The interconnected nature of the health ecosystem means a breach can have negative knock-on effects up and down the supply chain. The growing number of access points within the supply chain increases the breach risk, affecting all players in the health ecosystem.

Take something as simple as a blood pressure monitor for instance. Points of risk include the medical device manufacturer, the physician, the electronic health record systems used, and the insurance organization reimbursing the physician or patient. All play a role in keeping the infrastructure secure.

In ransomware cases, the thief holds the entity’s data hostage in exchange for payment. If the data is resold, health organizations must catch up fast, and use proven techniques from other industries to stop theft at every point in the black market or ransomware value chain.

The impact on patients and organizations

A dangerous by-product of a theft is that important information on the patient’s medical record is often altered. Items such as allergy notes can be deleted, or new entries added.

For a medical device organization – with web-connected and/or sensor-enabled devices, attackers could interfere with device operation, taking out a pacemaker or a levels-sensitive medication-distribution system. If attackers hack the sensor that monitors drug levels, they can alter the dose, with potentially deadly results for the patient.

They could also attack earlier in the supply chain through a parts supplier or at the point of manufacture. All it would take is for one sensor in the plant to be hacked so that it feeds inaccurate data into the manufacturing process, and the product could turn out to be defective in ways not discovered until it’s on the market. Manufacturing plants were not constructed with cybersecurity in mind, but they are becoming increasingly connected and automated, which makes them increasingly vulnerable.

For a pharmaceutical organization, the threat is entirely different. For instance, cyber attackers may follow the development progress of a new, high-profile drug to know when and how to interrupt your process. Your facilities, all on networked controls, could be hacked and your testing environment contaminated. With your testing data all held on servers, your data farm could be open to attack and your data destroyed or corrupted.

For organizations that have contracted with a third-party testing firm, cyber attackers could gain access through the relatively unsecure company cellphone allocated to a contractor’s employee and move on to disrupt the testing environment through that breach.

Getting ahead of the threat

To truly get ahead of the attackers, organizations need strategies customized to their exact areas of risk. A compliance mindset on cybersecurity won’t be enough.

Compliance is focused on the past, and regulations are usually based on the types of breaches that have already happened.

IT-focused solutions are equally inadequate.

Instead, health organizations need an all-encompassing framework to make smart, informed decisions to prioritize cybersecurity spending, build and instill a culture of security, and protect the assets most directly impacting business strategy and objectives.

Health organizations need an all-encompassing framework to  make smart, informed decisions to prioritize cybersecurity spending, build and instill a culture of security, and protect the assets most directly impacting business strategy and objectives.

The key steps organizations need to take are:

  • Complicate an attacker’s ability to achieve their objective
  • Detect an attack before meaningful business is impacted
  • Respond effectively and immediately to remediate an attack
  • Educate your workforce to increase awareness, develop and maintain a security consciousness, and fend against phishing attacks

The key operating concept is the idea of an active defense: probing for, analyzing and neutralizing threats before they can acquire or damage an organization’s critical assets. This requires organizations to understand their risk spectrum – over time and at every step along the data collection path.

Know the value of your data – and start with the areas of highest risk

To allocate cybersecurity dollars wisely, organizations must learn the value of their information assets, updating assessments at least annually and at every point in their supply chains. The costs of security breaches in health are too expensive to ignore. A data breach could bring your entire business to a standstill, and a ransomware threat could lock down your data, making daily operations impossible.

Yet not everything should be protected with equal rigor. The higher the value, the stronger your protection needs to be at those transaction points.

The risk grows as you gain more data. The value of health data may increase over time; unlike credit cards, PINs or passwords, health data does not change, and aggregating makes it more valuable (individual records and data sets from multiple individuals). For instance, data is more valuable (and needs higher protection) at the end of a clinical trial.

Improving your people’s cyber-resilience

Security must become the new mindset and the new backbone around which operational or delivery-of-care models are built.

But in many cases, it’s challenging for security
experts to convince people (like doctors and other health practitioners) to alter their workflow to accommodate risk mitigation.

In some cases, concerns are valid – for instance, many doctors are reluctant to use dual-factor authentication, as it might
slow down the process of treating a critical patient. In others, it is a matter of educating everyone in the chain on the potentially dire outcomes of a
security breach, and stressing the need for diligence in daily health care tasks.

Security must become the new mindset and the new backbone around which operational or delivery-of-care models are built. 

Key steps for every organization to improve its employee cybersecurity include:

  • Educating your workforce to be on the lookout for spear-phishing attacks, those seemingly legitimate emails from a familiar individual or organization that are, in fact, fraudulent communications
  • Changing employee perceptions of cybersecurity as an annoyance to be avoided when possible, to a fundamental part of achieving the organization’s objectives
  • Raising the overall awareness of all operative stakeholders in your business – from every level of employee to every component of your supply chain
  • Making sure your workforce education and security measures do not instill too much fear in your users

Communicating and responding effectively  

Just as the best medicine is preventative, the most effective cybersecurity is about protecting by being proactive and preemptive.

Build a crisis management plan now and be ready to execute it at the first sign of a security incident. This plan needs to address responses for:

  • Customers – and your organization’s responsibility to those harmed by an attack, including plans for different responses based on what was lost or disrupted in the breach
  • Stakeholders – including others in the supply chain, stockholders, employees, and anyone else with a vested interest in your organization
  • The spokesperson – and whether this will differ depending on the scale of the event
  • Public affairs – (such as notifying government officials) if the attack is traced back to a nation-state, where political and market sensitivities are at play

Ransomware threats – with a differentiated strategy for varying threat levels and understanding their classification (i.e., direct financial loss, reputation loss or legal repercussions with associated financial loss)


In a rapidly changing health care industry, cybersecurity strategies must be proactive and preemptive to protect sought-after customer data.

Acerca de este artículo

Por EY Global

Ernst & Young Global Ltd.