Approximately 29.3 million patient health records have been compromised in a HIPAA data breach since 2009¹. In this article, we will be trying to figure out how hackers use this hacked healthcare data to cash in the cyber underworld or black market.
This is a guest article from Ashiq Ja, Security Researcher for the InfoSec Institute.
With the drastic increase in Cyber Crime, the healthcare industry is a potential target for data hungry hackers. Patient safety may not directly relate to data security, but an individual’s personal health information includes everything from their address, private medical records to credit card information.
In one recent case, a health insurance company took almost a year to notify 1.1 million of its members that their personal data had been swiped by hackers. In another incident, more than 80 million pieces of health data was stolen from an Anthem breach in a network server hack. In the 15 months from January 2014 into March 2015, the healthcare industry had 15 separate major breaches of protected health information that affected well over 100,000 individuals. Healthcare companies experienced a 72% increase in cyberattacks between 2013 and 2014.
Now, why are hackers behind the health data of an individual or a patient? What can be gained from such data?
Cost of Stolen Data
More and more health data are showing up in the dark web, and the solution is obviously more complex than simply deleting or changing data such as a patient’s birthdate or social security numbers. Stolen patient health records can fetch as much as $363 per record, according to data from the Ponemon Institute, which is more than any other piece of data from any other industry.
There have been more than 270 public disclosures of large health data breaches.
“These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links,” said Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas. While stolen credit card numbers tend to be sold for a few dollars or less, a set of Medicare ID numbers for 10 beneficiaries found online by Greg Virign, CEO of the security company RedJack, was being sold for 22 bitcoins, or about $4,700.
These records are used for identity theft and can be classified as following:
- Credentials: Name, date of birth, contract or group number, type of insurance plan, deductible and co-pay formation, insurer contact information for claims and customer service. Another $20 each is available for associated dental, vision, or chiropractic plans.
- Complete electronic dossier or Fullz: An electronic dossier of credentials for an individual compiled and packaged with other Personally Identifiable Information (PII). Fullz are worth more because they take time to compile but facilitate the identity theft process for the black market purchaser. They may include everything in the credentials package above plus address, phone numbers, email address with password, social security number or employer ID number, bank account information, online banking credentials, and credit card information.
- Finished kit of phony ID and credential documents or Kitz: Includes custom-manufactured physical credentials and documentation related to the identity information from Fullz. It becomes a complete identity theft kit and may include fake versions of the victim’s insurance card, social security card, driver’s license and credit cards.
Hacking is not the only means through which medical information are compromised. Sometimes healthcare workers steal data to make a profit, while in other cases, friends or family members use a person’s health insurance information to obtain fraudulent or fake medical claims.
Underestimating the Healthcare Data Security
Many healthcare organizations do not perform encryption of records within the internal networks. They also do not use encryption of data at rest and transit. This interests hackers since the attack surface area is very huge with a lot of vulnerabilities left unchecked. Health insurance information can be used to purchase drugs or medical equipment, which are then resold illegally, or, in some cases, the theft can be made in an attempt to get medical care. The latter can have consequences that go far beyond the financial.
Ken Westin, security analyst at Tripwire said, “In general, healthcare organizations are not prepared for the level of sophistication associated with the attacks that will be coming at them. It’s no surprise that several organizations have been targeted and compromised. Vulnerabilities that are endemic within an industry through common tools, frameworks, data storage/sharing methods or business processes.”
Some healthcare organizations may operate under the assumption that hackers are only interested in financial data, and assume that perimeter firewalls would stop any kind of external attacks. These assumptions are, of course, incorrect, and can result in absence of application security and encryption of data. The Health Insurance Portability and Accountability Act (HIPAA) addresses a number of patient privacy issues, but doesn’t require encryption of patient data.
Why is Patient Health Information (PHI) Considered More Valuable Than Financial Data?
In the world of black market data, medical information has a higher value than a credit card information. One reason medical data is coveted by thieves is that it has more lasting value than other types of information. Once the bad guys get their hands on it, it’s difficult for the victim to do anything to protect themselves. While a stolen credit card can be cancelled and fraudulent charges disputed, the process for resolving medical ID theft is not as straightforward and can take much more time and effort to resolve.
Hospitals and insurers usually don’t have a clear process for fixing errors on someone’s health record or for helping patients cope with the other consequences of identity theft.
“Unlike credit card numbers, healthcare information is non-recoverable, and potentially lethal in the wrong hands” Robert Hansen, the vice president of WhiteHat Security, told the Christian Science Monitor. Banks have stepped up their online security in the recent years by incorporating better secure transactions and transfers while many health insurers and hospitals have not taken security seriously.
Twenty-one percent of doctors said they believed their cybersecurity was below average, while 8 percent of IT workers and administrators had the same view. A Ponemon Institute report indicates cyber criminals have increased their attacks on healthcare 125 percent, costing the industry $6 billion annually.
A recent UCLA Health System data breach affected 4.5 million patients. The unusual activity was initially detected on October 2014, and was confirmed in May 2015 following an FBI investigation. The infiltrated servers contained names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures.
“Despite these painful lessons, it seems that personal data compromised in the latest breach were still not encrypted,” said Igor Baikalov, chief scientist at Securonix, a data security firm in Los Angeles.
Regulatory Compliance Program for Electronic Health Records (EHR)
A regulatory compliance program requires some level of central coordination. It supports gathering controls and testing information, developing a common set of control objectives, and coordinating efforts to meet multiple regulations. Typically, a new or updated regulation or other requirements (such as PCI compliance) are followed by new corporate and departmental policies and procedures. Eventually, these policy and procedure documents begin to overlap, resulting in redundancies such as a HIPAA policy and a separate PCI policy that address the same controls and requirements, increasing complexity and confusion. It is more practical to create one Access Control Policy or one Password Management Policy, for example, that meets both HIPAA and PCI requirements.
Electronic health record systems are designed to store data accurately and to capture the state of a patient across time. It eliminates the need to track down a patient’s previous paper medical records and assists in ensuring data is accurate and legible. It can reduce risk of data replication, as there is only one modifiable file, which means the file is more likely up to date, and decreases risk of lost paperwork. Some organizations still look at compliance as a check-the-box, document-and-audit exercise. However, more mature organizations realize that they need to take a risk-based approach as a way to focus their resources on areas with the highest risks.
We should also note that compliance may be a key focus of the healthcare industry, but that hasn’t always translated into secure environments. The newly revised HIPAA Security Rule requires providers to assess the security of their databases, applications, and systems that contain patient data against a list of 75 specific security controls. These controls include specific safeguards to be in place for protecting PHI.
What do Experts Recommend?
Although unencrypted data has been the main issue with healthcare data breaches, encrypting data isn’t a 100 percent solution to protect against these attacks. Proper cyber security controls and standards must be followed by healthcare sector. Security experts tell that application security has been neglected for a very long time by the healthcare industry. Each of the following recommendations should be implemented to enhance EHR security.
Application Security and Network Security
Hackers are discovering a variety of methods for breaking into healthcare organizations, keeping security administrators busy implementing server and device hardening. These personnel should also check for application security related issues by performing manual and automated penetration tests on all applications, including applications hosted on external and internal networks. Following OWASP standards during software development would help in identifying missing application security controls in the initial stages itself.
However, even as perimeter security such firewalls and intrusion detection systems are used, experts recommend that organizations should adopt technologies that would find and mitigate vulnerabilities and reduce the attack surface area. This includes techniques such as segregating networks so that an intruder into one area doesn’t have access to all the data stored throughout the organization. As data flows into and out of a hospital’s EMR and other systems in a variety of ways, many potential risks are created. A risk assessment is a critical way to identify the risks associated with the data flow.
Like banks that send a text message to confirm unusual transactions, companies can also use out-of-band authentication. The above-noted Anthem breach was identified when a user suspected unauthorized access. If the organization had implemented a second factor authentication via a separate channel – such as the use of mobile phone notification – the data breach may have been avoided.
Patch Electronic Medical Devices
While many of the IT security threats healthcare organizations face also affect companies in other industries, providers have another risk unique to their practices: some devices, such as pacemakers, monitoring tools and other electronic medical devices, are at risk of being hacked.
One step healthcare IT departments must take: Keep the software on those devices patched and updated to minimize their vulnerabilities.
Encrypt and Protect Portable Devices
In the past few years, several data breaches have occurred because a portable computing or storage device containing protected health information was lost or stolen.
Organizations should take steps to ensure that all devices that might hold patient data, including laptops, smartphones, tablets and portable USB drives, have proper encryption in plrace. In addition to providing encrypted devices for employees, it’s important to have a strict policy against carrying data on an unencrypted personal device.
The security of mobile devices can also be compromised by loss and theft, and when that occurs, it’s nearly impossible to ensure a device won’t fall into the wrong hands. Healthcare organizations must take precautionary steps to protect data in the event that a device goes missing. Some methods to accomplish this include remote wiping and locking, as well as tracking the device through GPS to locate and recover it.
Implement Least Privilege
This means only users with appropriate authorizations can gain access to protected data on mobile devices, and only IT has adequate tools to audit and manage all users’ permissions. Users don’t need access to the same type or amount of information that administrators might need access to in order to do their daily jobs. Limit the amount of access, and challenge users with two-factor authentication for certain transactions or requests for sensitive data.
Remove Unnecessary Data
One lesson many data breach victims have learned: The more data that’s held by an organization, the more there is for criminals to steal. Organizations should have a policy mandating the deletion of patient and other information that’s no longer needed.
In addition, it pays to regularly audit the information that’s being stored, so the organization knows what is being housed and can identify what may be deleted.
Data Breach Response Plan
It’s unlikely an organization will ever be able to prevent every possible IT security incident. That’s why it’s critical to develop a plan of action for when a breach does occur. Healthcare organizations should not just try to protect data but also should implement incident response plan when a hack has been identified.
Electronic health records specialists also provide remote storage and data backup systems. While this may not necessarily present as strong of a defense against hackers and data breaches as data encryption, it provides security for healthcare organizations against the potential of software failures or natural disasters that could destroy or damage files.
The bad guys are working hard to identify new ways to access healthcare data, and are interested in selling that data on the black market. In addition, the amount of increase in healthcare data breaches indicate that our medical industry must continually adopt new cyber security measures and standards to identify, detect and prevent vulnerabilities.
Nearly 90% of health IT professionals say that cybersecurity has become a higher business priority for their organization over the past year, and about 67% said their organization experienced a “significant security incident in the recent past,” according to a survey released recently by the Healthcare Information and Management Systems Society, MedCity News reports. Clearly, this is an issue that is on the rise and must be taken seriously by all healthcare organizations.
This is a guest article from Ashiq Ja, Security Researcher for the InfoSec Institute.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.