The last year has been tough for healthcare providers around the world. Not only, as you may expect, because of the Covid-19 crisis, but due to the escalating cybercrime threat that has seen many successful attacks on healthcare settings. And while we hope that the Covid-19 pandemic will be over in the near future, the impact of a data breach resulting in stolen health data could have repercussions for a long time to come.

The online information revolution has seen more and more data go online, including patients’ electronic medical records (EMR). This extremely sensitive data needs robust safeguards in place to protect it, because small businesses such as healthcare clinics are doubly attractive to attackers. Whereas large hospitals have larger cybersecurity budgets, access to deeper knowledge and more extensive expertise, and an IT team with information security skills, small, private health clinics may not have the same resources.

The stolen health data market – Not what you thought

Research in the United States found that more than 230 million health records were stolen or lost between 2009 and 2019. This amounts to the records of 70% of US citizens. Hackers target health-care providers because personal health information (PHI) has the highest value on the black market.

Personal health information can be worth ten times more than credit card numbers. This is because personal health records contain complete information about individuals from their personal identification information (PII) through to their height, weight, specific health conditions, health insurance account numbers, even their blood type. Furthermore, while a credit card can be cancelled, personal health information can’t be changed, making it stable for the long term. In short, everything a malicious actor could possibly need.

Figure 1: Relative price of information records on the dark web. Source: Experian 2017

Uses of stolen personal health information (PHI)

When cyber criminals steal personal health information, they can sell it on for a high price. Malicious actors who gain access to stolen health data can monetise this information in a variety of lucrative ways, which go far beyond the ways in which ‘regular’ personal identification information can be used.

1) Sell stolen health data to rogue data kingpins – PHI can be sold to rogue data brokers who then sell it on to insurance and other similar companies (yes, you read correctly). These companies will use this data to re-evaluate insurance policies, target marketing campaigns to the individuals whose data was compromised, and even share it or resell the stolen health data to other parties.

2) Purchase medical equipment or drugs – PHI may also include information about medical personnel. This information about the specific staff can in turn be used to steal the identity of medical workers and gain access to medical equipment or drugs.

3) Identity theft – PHI usually contains large amounts of persona identifiable information (PII) about each patient, and that can be used to steal identities, file fraudulent claims with insurance companies, carry out tax and other forms of financial fraud.

4) Carry out advanced social engineering attacks – PHI provides attackers with the sensitive information they need to carry out confidence attacks on individuals. Phishing attacks using PHI may look particularly genuine as they contain a large amount of factual information gleaned from the victim’s PHI, which increases their confidence in the email, and makes them more likely to interact with it.

These well crafted social engineering attacks could affect both individuals and enterprises, causing significant damage, and taking advantage of human error to bypass the advanced technological solutions these organisations have in place.

5) Ransomware attacks – Cyber criminals could hold stolen health data for ransom, stopping services, and threatening to leak the information they hold unless a ransom is paid. Should the information be published online (with or without a ransom), it will cause embarrassment, loss of reputation and patients and more.

Ransomware attacks are increasing on hospitals and other healthcare organisations, simply because attacks on hospitals have a higher chance of success. Healthcare organisations are often quick to pay ransoms because they can’t afford to experience downtime (see what happened in Dusseldorf, Germany, when a hospital was attacked by ransomware).

So what can be done to improve health data protection and avoid the consequences of a breach resulting in stolen health data?

Improve personal health data protection in your organisation

It is a matter of when, not if, a data breach will affect an organisation. Taking a proactive approach towards cybersecurity risk management will improve health data protection and reduce the likelihood and potential impact of cybersecurity attacks, including stolen health data.

Technology is not enough – Firewalls, anti-malware solutions (formerly known as anti-virus products), and data encryption will help improve personal health data protection, but they are not enough to defend against cyber attacks.

A broader vision is required, one that takes into account all the different variables of cybersecurity, including technological solutions, best practice implementation, good internal processes, empowered employees who understand their information security responsibilities, and constant monitoring of these defences in order to ensure that they are always up to date and in working order.

Manage security vulnerabilities – Attackers usually get into systems by exploiting vulnerabilities in these systems. In order to stay ahead of attackers, you need to proactively check for, identify, and mitigate these vulnerabilities across your network.

Vulnerability management involves ensuring that you configure your systems securely, changing system permissions, and applying updates and security patches as soon as they are released. Remember, some of the worst security breaches on record were caused by poorly configured systems, or when no one changed system permissions, using the defaults, that attackers are all too familiar with.

Create a monitoring process with complete logs of activities – Logs and records of what goes on on your network are important elements of your cybersecurity. Good network monitoring and logs are invaluable when things go wrong, and you need to call in a professional cybersecurity team to investigate and remedy the situation, getting you back up and running as fast as possible. Without proper monitoring and logging of systems, even the best incident response team will struggle to fix the situation.

Back up your systems – The best way to return to normal after a ransom or other attack on your systems is to have a properly configured backup drive that you can immediately recover and apply to your systems. Make sure that it is protected separately from your regular drive, because if it is also encrypted in a ransomware attack it will not be able to help!

Train your employees to be security smart – Many data breaches are caused by human negligence. In some cases, employees fall for phishing scams, giving attackers access to records. In other cases, employees lost or left unattended computers or other devices containing unsecured health data, which was then stolen. Every employee in your organisation from doctors down to administrative staff should be guided and trained in how to stay safe, and avoid opening the door for attackers.

Plan your response to an attack – If all else fails, have a clear incident response plan in place that will help you address any incident that comes your way, including malicious attacks, data breaches, or data loss incidents. Incident response plans contain instructions to your team to identify the problem, contain it, eradicate the threat, recover any lost data, and set out a framework for learning how to prevent an attack like this from happening again.

The incident response plan should be a living document that is reviewed regularly to ensure that everyone knows what to do in the event. Incident response plans (and their current relevance to your company) are also super important to your customers who are looking for reassurance that you will be on top of any kind of incident.

Personal healthcare data protection can be complicated and expensive, but as healthcare professionals all know, prevention is better than cure. Healthcare settings do not have the luxury of taking it easy when it comes to protecting PHI. It’s always the right time to check your cybersecurity defences, ensure they are healthy, and get a second opinion from a ‘cybersecurity doctor’!

Stay safe

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA-176747747-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
CONSENT	16 years 5 months	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Health data protection: How to keep patients’ data safe from the stolen health data market

The stolen health data market – Not what you thought

Uses of stolen personal health information (PHI)

Improve personal health data protection in your organisation

Recent Posts

How to build a cybersecurity strategy for startups

ISO 27001 vs SOC 2 – Which is better for your organisation?

Encryption of data in use: A new standard in data protection

What is HIPAA Compliance for Startups?

Benefits of ISO 27001: Why you need a cybersecurity framework

Are you the weakest link? How to prevent software supply chain attacks

Services

Location & Contact Details

Stay Connected