Data Breaches: In the Healthcare Sector
It seems that every day another hospital is in the news as the victim of a data breach. The routine is familiar - individuals receive notification by (e)mail of the breach, paired reassuringly with two free years of credit and identity monitoring. (One might wonder - Is there even anyone left who isn’t being monitored?) According to the Ponemon Institute and Verizon Data Breach Investigations Report, the health industry experiences more data breaches than any other sector.[i] There may be some potential for bias in this claim, due to the well-defined, legally mandated reporting requirements of the Health Insurance Portability and Accountability Act (HIPPA), which makes it more likely healthcare breaches will be reported compared to breaches in other sectors.
Breaches are widely observed in the healthcare sector and can be caused by many different types of incidents, including credential-stealing malware, an insider who either purposefully or accidentally discloses patient data, or lost laptops or other devices. Personal Health Information (PHI) is more valuable on the black market than credit card credentials or regular Personally Identifiable Information (PII). Therefore, there is a higher incentive for cyber criminals to target medical databases, so they can sell the PHI or use it for their own personal gain. At the time of this writing, over 15 million health records have been compromised by data breaches, according to the health and human services breach report.
Why is PHI more valuable that PII?
The average cost of a data breach incurred by a non-healthcare related agency, per stolen record, is $158. For healthcare agencies the cost is an average of $355. Credit card information and PII sell for $1-$2 on the black market, but PHI can sell for as much as $363 according to the Infosec Institute. This is because one’s personal health history, including ailments, illnesses, surgeries, etc., can’t be changed, unlike credit card information or Social Security Numbers. PHI is valuable because criminals can use it to target victims with frauds and scams that take advantage of the victim’s medical conditions or victim settlements. It can be used to create fake insurance claims, allowing for the purchase and resale of medical equipment. Other criminals use PHI to illegally gain access to prescriptions for their own use or resale.
Alternate Analysis: A recent report by McAfee Labs contests the claim that PHI is more valuable, arguing that the lucrativeness of credit card data is more important that the longevity of PHI. The report still acknowledges there is a strong market for PHI.
What laws are in place to protect PHI?
The Federal HIPAA Security Rule requires health service providers to protect electronic health records (EHR) using proper physical and electronic safeguards to ensure the safety of health information. Breaches of over 500 records, whether due to a hacking incident, accidental disclosure, lost or stolen devices, or unauthorized internal access, must be reported. As of July, this also includes ransomware infections.
Proper application security and network security are important to prevent a compromise from happening in the first place. Encryption is the best way to protect your patients’ data from being accessed once someone has found their way onto your systems. It is important that encryption is implemented both at rest and in transit and that third parties and vendors that have access to your healthcare network or databases are also properly handling patient data. Training on proper usage and handling of PHI is recommended to reduce data breaches caused by employee error, such as a lost device or accidental disclosure.