Data Breaches: In the Healthcare Sector

It seems that every day another hospital is in the news as the victim of a data breach. The routine is familiar – individuals receive notification by email of the breach, paired reassuringly with two free years of credit and identity monitoring. (One might wonder – Is there anyone left who isn’t being monitored?)

According to the Ponemon Institute and Verizon Data Breach Investigations Report, the health industry experiences more data breaches than any other sector. Although, there may be some potential for bias in this claim, due to the well-defined, legally mandated reporting requirements of the Health Insurance Portability and Accountability Act (HIPPA). The Act makes it more likely healthcare breaches will be reported compared to breaches in other sectors.

Causes of Healthcare Sector Breaches

Breaches are widely observed in the healthcare sector. These can be caused by many different types of incidents, including credential-stealing malware, an insider who either purposefully or accidentally discloses patient data, or lost laptops or other devices.

Personal Health Information (PHI) is more valuable on the black market than credit card credentials or regular Personally Identifiable Information (PII). Therefore, there is a higher incentive for cyber criminals to target medical databases. They can sell the PHI and/or use it for their own personal gain. At the time of this writing, over 15 million health records have been compromised by data breaches, according to the health and human services breach report.

Why is PHI More Valuable than PII?

The average cost of a data breach incurred by a non-healthcare related agency, per stolen record, is $158. For healthcare agencies the cost is an average of $355. Credit card information and PII sell for $1-$2 on the black market, but PHI can sell for as much as $363 according to the Infosec Institute. This is because one’s personal health history, including ailments, illnesses, surgeries, etc., can’t be changed, unlike credit card information or Social Security Numbers.

PHI is valuable because criminals can use it to target victims with frauds and scams that take advantage of the victim’s medical conditions or victim settlements. It can also be used to create fake insurance claims, allowing for the purchase and resale of medical equipment. Some criminals use PHI to illegally gain access to prescriptions for their own use or resale.

Alternate Analysis: A recent report by McAfee Labs contests the claim that PHI is more valuable, arguing that the lucrativeness of credit card data is more important that the longevity of PHI. The report still acknowledges there is a strong market for PHI.

What Laws are in Place to Protect PHI?

The Federal HIPAA Security Rule requires health service providers to protect electronic health records (EHR) using proper physical and electronic safeguards to ensure the safety of health information. Breaches of over 500 records, whether due to a hacking incident, accidental disclosure, lost or stolen devices, or unauthorized internal access, must be reported. As of July, this also includes ransomware infections.

Are you an Amazon Web Services (AWS) user? Here’s how to defend your healthcare organization against ransomware with CIS.

 

 

Recommendations

Proper application security and network security are important to prevent a compromise from happening in the first place. Encryption is the best way to protect patient data from being accessed once someone has found their way onto healthcare systems.

It is important that encryption is implemented both at rest and in transit, and that third parties and vendors that have access to healthcare networks or databases are also properly handling patient data. Training on proper usage and handling of PHI is recommended to reduce data breaches caused by employee error, such as a lost device or accidental disclosure.

U.S. hospitals can get access to Malicious Domain Blocking and Reporting (MDBR) to help defend against data breaches at no cost. *

*While MDBR was offered at no cost to U.S. Private hospitals for a limited time, that offering has been discontinued in favor of MDBR+, a low-cost, cloud-based secure web gateway service that provides real-time reporting, custom configurations, and off-network device protection. Learn more about MDBR+ here.