Although we all applaud the massive push towards electronic health records (EHRs) and the digitization of medical information, there are some very tangible cybercrime data breach threats that exist which could topple the momentum gained by the launch of the Health Information Technology for Economic and Clinical Health Act (HITECH) two and half years ago. Two recently released reports (Verizon’s Data Breach Investigations Report and FireEye’s Advanced Threat Report) suggest that the proportion of healthcare data breaches is rising fast, the largest majority targeting patient personal and payment information (including patient health and insurance data) that attackers can directly or indirectly use to make a profit. The reports point to an urgent situation developing for healthcare facilities to strengthen their data security defenses and adopt a common sense, evidence-based approach to managing security. (Side note – you can find a great infographic illustrating healthcare data breaches by state here).
It’s clear to many of us that adopting an EHR system and encouraging more patient engagement through digital communication channels is and will continue to be beneficial for the healthcare industry to ultimately improve quality of care and drive down costs. As the healthcare industry inches closer to full scale digitization, as patients we often overlook the fact that our personal data is just as susceptible to cyber theft as it is in other industries (think financial services, and retail for example). Those who acknowledge the risk of having their information stolen probably feel that data is most susceptible to being swiped at a hospital or large medical facility, which as it turns out isn’t the case (more on this in the next section). It is important for us to be as diligent to protect our identity and safeguard our data in healthcare as it is when we perform online banking or engage in e-commerce.
Healthcare Data Breaches Centered on Point of Sale (POS) Systems
Although Verizon reported that healthcare data breach incidents were only 7% of the overall amount (reports vary widely based on datasets used in research – this infographic on healthcare fraud for example indicates that healthcare was the most security breached industry in 2011), they pointed out that the proportion of these breaches are increasing every year and:
“the largest majority are focused on small to medium businesses and outpatient care facilities like medical and dental offices.”
Facilities hardest hit tend not to be the large hospitals or medical centers, but instead the smaller doctor’s and specialists offices, seeming counterintuitive to the types of businesses that data thieves normally prey upon.
The data suggests that hackers are searching for any financial information associated with a patient’s account, centered primarily on POS systems (64% of compromised assets) and other assets in the payment chain. For example, a criminal could hack into a Dr’s office POS system and when you pay your deductible or co-pay prior to a check-up and medical staff swipes your credit/debit card, it could be captured by a thief and used illegally. Not surprisingly, thieves are concentrating their efforts on stealing financial information from a patient which could be illegal access to a POS system or access to a patient’s personally identifiable information (PII) which may contain even more personal financial data. The report when on to say that it’s interesting POS systems would play such a prominent role in healthcare data breaches since:
“…medical professionals are trained to protect the confidentiality of patient information.”
The breakdown of compromised assets by percentage of breaches is as follows:
POS Terminal: 64%
POS Server: 48%
Database Server: 5%
Backup Tapes: 2%
It’s important to note that cybercriminals don’t hack into healthcare systems to check medical histories or a diagnosis – they break into accounts to steal your information so they can open financial accounts in your name and steal money. As healthcare digitization evolves, one wonders what other information these criminals can steal or misuse for their own advantage or profit. In addition, just because you operate a small Dr’s office in rural Idaho doesn’t mean you aren’t a target of a cybercriminal – remember that most attacks are directed against small companies, healthcare included.
Malware, Hacking Top Threats to Healthcare
Verizon’s report makes it clear that organized criminal group outside attacks are:
“…notorious for knocking over smaller, low risk targets…to nab personal and payment data…”
and constitute the #1 entity to cause or contribute to an incident with insider jobs (aka – employees going “rogue”) coming in a distant second. Among the many ways criminals illegally gain access to a closed system, hacking and malware are involved in nearly all breaches. Using weak or stolen credentials and passwords, these attacks peruse the Internet searching for victims and hacking into exposed systems to install malware that captures personal data and then exploits it for criminal purposes.
Most attackers gain entry into a system by sending “spear phishing emails” that use rogue attachments or malicious URLs to launch malware that guesses employee credentials (passwords/PINs), indicating that despite the major push by many in the security industry to strengthen passwords or use an alternative network or single sign-on (SSO) technology, many people still use passwords that are easy to steal. Once a hacker gains access to a system by exploiting a weak credential, they drop malware which allows remote access and control of data flowing in and out. Scary stuff.
What may be even more surprising is the speed at which cybercriminals can infiltrate a system, steal information, and then begin to use it to commit crimes. The Verizon report suggests that in a matter of minutes, your information can be accessed, stolen, and used for nefarious purposes, but it could take months or more for the healthcare organization or you to even discover it.
A Call to Action for Healthcare Providers
No one claims that data breach reports like these are any reason for healthcare to push the panic button, but many will agree that statistical analysis of the problems breaches cause should invoke common sense reactions that can quickly and substantially tighten security. The Verizon report recommends that healthcare providers start with:
”…adopting a common sense, evidence based approach to managing security…”
which means understanding what types of threats affect healthcare organizations and then making adjustments to security strategies and tactics that address these threats. The report goes on to suggest that healthcare organizations:
• Change administrative passwords in all POS systems
• Implement a firewall or access control list on remote access/administrative services
• Avoid using POS systems to browse the web
• Make sure your POS system is PCI-DSS compliant – you can read more about PCI Security Standards here.
If you use a third party to manage your network or POS system, ask them to confirm if all of these steps have been taken and hold them accountable to fulfill their obligations to get it done. Another suggestion is to encrypt all user devices that contain sensitive information, or use technology like biometrics for network or SSO to strengthen credentialing.
Whatever your current network and POS system security conditions may be, the time is now for a self-assessment and recalibration if needed. You don’t want an actual data breach to be the trigger for making changes and upgrades.
John Trader is a public relations and marketing manager with M2SYS Technology.