The last year has been tough for healthcare providers around the world. Not only, as you may expect, because of the Covid-19 crisis, but due to the escalating cybercrime threat that has seen many successful attacks on healthcare settings. And while we hope that the Covid-19 pandemic will be over in the near future, the impact of a data breach resulting in stolen health data could have repercussions for a long time to come.
The online information revolution has seen more and more data go online, including patients’ electronic medical records (EMR). This extremely sensitive data needs robust safeguards in place to protect it, because small businesses such as healthcare clinics are doubly attractive to attackers. Whereas large hospitals have larger cybersecurity budgets, access to deeper knowledge and more extensive expertise, and an IT team with information security skills, small, private health clinics may not have the same resources.
The stolen health data market – Not what you thought
Research in the United States found that more than 230 million health records were stolen or lost between 2009 and 2019. This amounts to the records of 70% of US citizens. Hackers target health-care providers because personal health information (PHI) has the highest value on the black market.
Personal health information can be worth ten times more than credit card numbers. This is because personal health records contain complete information about individuals from their personal identification information (PII) through to their height, weight, specific health conditions, health insurance account numbers, even their blood type. Furthermore, while a credit card can be cancelled, personal health information can’t be changed, making it stable for the long term. In short, everything a malicious actor could possibly need.
Figure 1: Relative price of information records on the dark web. Source: Experian 2017
Uses of stolen personal health information (PHI)
When cyber criminals steal personal health information, they can sell it on for a high price. Malicious actors who gain access to stolen health data can monetise this information in a variety of lucrative ways, which go far beyond the ways in which ‘regular’ personal identification information can be used.
1) Sell stolen health data to rogue data kingpins – PHI can be sold to rogue data brokers who then sell it on to insurance and other similar companies (yes, you read correctly). These companies will use this data to re-evaluate insurance policies, target marketing campaigns to the individuals whose data was compromised, and even share it or resell the stolen health data to other parties.
2) Purchase medical equipment or drugs – PHI may also include information about medical personnel. This information about the specific staff can in turn be used to steal the identity of medical workers and gain access to medical equipment or drugs.
3) Identity theft – PHI usually contains large amounts of persona identifiable information (PII) about each patient, and that can be used to steal identities, file fraudulent claims with insurance companies, carry out tax and other forms of financial fraud.
4) Carry out advanced social engineering attacks – PHI provides attackers with the sensitive information they need to carry out confidence attacks on individuals. Phishing attacks using PHI may look particularly genuine as they contain a large amount of factual information gleaned from the victim’s PHI, which increases their confidence in the email, and makes them more likely to interact with it.
These well crafted social engineering attacks could affect both individuals and enterprises, causing significant damage, and taking advantage of human error to bypass the advanced technological solutions these organisations have in place.
5) Ransomware attacks – Cyber criminals could hold stolen health data for ransom, stopping services, and threatening to leak the information they hold unless a ransom is paid. Should the information be published online (with or without a ransom), it will cause embarrassment, loss of reputation and patients and more.
Ransomware attacks are increasing on hospitals and other healthcare organisations, simply because attacks on hospitals have a higher chance of success. Healthcare organisations are often quick to pay ransoms because they can’t afford to experience downtime (see what happened in Dusseldorf, Germany, when a hospital was attacked by ransomware).
So what can be done to improve health data protection and avoid the consequences of a breach resulting in stolen health data?
Improve personal health data protection in your organisation
It is a matter of when, not if, a data breach will affect an organisation. Taking a proactive approach towards cybersecurity risk management will improve health data protection and reduce the likelihood and potential impact of cybersecurity attacks, including stolen health data.
Technology is not enough – Firewalls, anti-malware solutions (formerly known as anti-virus products), and data encryption will help improve personal health data protection, but they are not enough to defend against cyber attacks.
A broader vision is required, one that takes into account all the different variables of cybersecurity, including technological solutions, best practice implementation, good internal processes, empowered employees who understand their information security responsibilities, and constant monitoring of these defences in order to ensure that they are always up to date and in working order.
Manage security vulnerabilities – Attackers usually get into systems by exploiting vulnerabilities in these systems. In order to stay ahead of attackers, you need to proactively check for, identify, and mitigate these vulnerabilities across your network.
Vulnerability management involves ensuring that you configure your systems securely, changing system permissions, and applying updates and security patches as soon as they are released. Remember, some of the worst security breaches on record were caused by poorly configured systems, or when no one changed system permissions, using the defaults, that attackers are all too familiar with.
Create a monitoring process with complete logs of activities – Logs and records of what goes on on your network are important elements of your cybersecurity. Good network monitoring and logs are invaluable when things go wrong, and you need to call in a professional cybersecurity team to investigate and remedy the situation, getting you back up and running as fast as possible. Without proper monitoring and logging of systems, even the best incident response team will struggle to fix the situation.
Back up your systems – The best way to return to normal after a ransom or other attack on your systems is to have a properly configured backup drive that you can immediately recover and apply to your systems. Make sure that it is protected separately from your regular drive, because if it is also encrypted in a ransomware attack it will not be able to help!
Train your employees to be security smart – Many data breaches are caused by human negligence. In some cases, employees fall for phishing scams, giving attackers access to records. In other cases, employees lost or left unattended computers or other devices containing unsecured health data, which was then stolen. Every employee in your organisation from doctors down to administrative staff should be guided and trained in how to stay safe, and avoid opening the door for attackers.
Plan your response to an attack – If all else fails, have a clear incident response plan in place that will help you address any incident that comes your way, including malicious attacks, data breaches, or data loss incidents. Incident response plans contain instructions to your team to identify the problem, contain it, eradicate the threat, recover any lost data, and set out a framework for learning how to prevent an attack like this from happening again.
The incident response plan should be a living document that is reviewed regularly to ensure that everyone knows what to do in the event. Incident response plans (and their current relevance to your company) are also super important to your customers who are looking for reassurance that you will be on top of any kind of incident.
Personal healthcare data protection can be complicated and expensive, but as healthcare professionals all know, prevention is better than cure. Healthcare settings do not have the luxury of taking it easy when it comes to protecting PHI. It’s always the right time to check your cybersecurity defences, ensure they are healthy, and get a second opinion from a ‘cybersecurity doctor’!