The Hacker-Patient Privilege

The healthcare industry is an ubiquitous aspect of our lives. Since the moment we are born healthcare providers are there with us, helping us maintain a healthy mind and body. Billions of health records are created, updated, and exchanged on a daily basis, and that’s a big deal.

Lucky for us the US Government has implemented two major healthcare related laws. For starters, the Health Insurance Portability and Accountability Act (HIPAA) has been the golden standard for Medical Records and Protected Health Information (PHI) safeguarding since its enactment in 1996. On top of that, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was implemented in 2009 to establish new regulations focused on how medical data is exchanged electronically.

It would seem like all our medical information is in good hands, but reality couldn’t be farther from the truth. All it takes is a simple Google search: “healthcare data breaches” to uncover a scary panorama. In summary: several thousand patients’ records have been either illegally accessed, hacked, or stolen. It’s a bleak scenario for our nation’s healthcare system, and more than enough reason to be concerned.

One's medical data is another hacker's treasure

At first glance, we may think that not much can be done with stolen medical records, what value do they really have to a hacker? To put it in perspective: credit card numbers, legal names, addresses, and even social security numbers can be changed [1], effectively detaching your persona from the stolen information. However, medical records don't, they are mostly immutable. You can't change your date of birth, medical conditions, or prescription history.

Electronic Health Record (EHR) systems, and insurance companies keep detailed logs of your health related consultations and transactions. And while there are laws that requires them to have measures to delete said information after a set number of years, all the hacker needs is a clear profile of the patient’s identity. They can easily sell patient records for around $60 each in the deep web. [2]

Stolen medical records can be used, not only to open up bank accounts using your personal information, but also to commit insurance fraud by filling up prescriptions or medical identity theft. However, the most disturbing use is extortion. Cyber criminals have been known to harass or blackmail high-profile patients for money when they get ahold of a hidden diagnosis that can ruin their careers, relationships, or even lives [3].

The human condition

To understand the seriousness of this situation we need to have a better grasp of how breaches occur. All too often we blame it on outdated (unpatched) software, zero day vulnerabilities, or bad passwords. And though it still leaves the door open for cyber attacks, those are not the only culprits. Modern hackers have gone beyond glitch exploitation and brute force attacks to: phishing scams, weaponized ransomware, misconfigured cloud storage buckets, and social engineering; all of them focused on the hardest vulnerability to patch, the humans.

Let’s take, for instance, Anthem's massive breach in 2015. It has been labeled as "one of the largest cyber hacks of an insurance company's customer data." [4] It all started with a seemingly normal email message that enticed the user to download a file to their computer. Once the file was opened it wreaked havoc in Anthem’s network, allowing hackers to gain remote access to that computer and at least 90 other systems.

While having a strong infrastructure, security measures, and disaster recovery protocols to prevent these attacks is really important, taking care of your healthcare personnel is paramount.

From the customer service representatives who access the information every day to the janitor who picks up the confidential document bin every Friday, by training them they will become aware of the consequences of what an unauthorized access can cause if it were to happen. Furthermore, the executive branch needs to understand how important it is to invest in data protection policies, as an early cybersecurity investment can greatly save them from dire consequences in the future. Not only to ensure that your healthcare business is following regulations established by law, but also to establish consumer retention and trust.

Training personnel may seem like a daunting and often times a tedious process, but the benefits far outweigh the risks. Not to mention that the imparted knowledge will stay with them to your benefit in the short and long term. After all, we’re all patients.

Don’t know where to start? Fuxebox specializes in cybersecurity and government regulations. From personnel training, NIST SP 800-171 self-compliance guidance, to full compliance implementations, our team of experts can help you choose the best path for your business. Let us help unlock your business’ full potential. We invite you to contact us for a professional assessment.

References

  1. Do You Need a New Social Security Number? (https://www.consumer.ftc.gov/articles/0248-do-you-need-new-social-security-number#new)

  2. NBC News (https://www.nbcnews.com/news/us-news/hacking-health-care-records-skyrockets-n517686)

  3. LuxSci (https://luxsci.com/blog/hackers-targeting-medical-records.html)

  4. Commissioner Dave Jones, 2017 (http://www.insurance.ca.gov/0400-news/0100-press-releases/2017/release001-17.cfm)