Ride the Lightning

Cybercriminals Love Health Care Records

July 17, 2014

A recent post from Politico highlighted the allure that health records have for cybercriminals.

On the black market, a full identity profile contained in a single record can fetch as much as $500. You can imagine how much a big breach might be worth.

“What I think it’s going to lead to, if it hasn’t already, is an arms race between the criminal element and the people trying to protect health data,” said Robert Wah, president of the American Medical Association and chief medical officer at the health technology firm CSC. “I think the health data stewards are probably a little behind in the race. The criminal elements are incredibly sophisticated.”

Health care is the new kid on the block of the digital world, trailing banks and retailers with decades of experience in cybersecurity. Most hospitals and doctors have gone from paper to electronic health records in the space of a few years while reaping $24 billion in federal incentive money paid out under the 2009 Health Information Technology for Economic and Clinical Health Act.

One peek into our future may have been a three day event when hackers using a Chinese IP address infiltrated the St. Joseph Health System in Bryan, Texas, and exposed the information of 405,000 individuals, gaining names, address, Social Security numbers, dates of birth and other information.

It was the third-largest health data breach tracked by the federal government.

While a stolen credit card or Social Security number is worth one dollar or less on the black market, a person’s medical information can yield far more, according to the World Privacy Forum. Thieves want to hack the data to gain access to health insurance, prescription drugs or just a person’s financial information.

A credit card can be canceled within hours of its theft, but information in a patient’s health record is impossible to undo. The record contains financial records, personal information, medical history, family contacts — enough information to build a full identity.

The Identify Theft Resource Center — which has identified 353 breaches in 2014 across industries it tracks, says almost half occurred in the health sector. Criminal attacks on health data have doubled since 2000, according to the Ponemon Institute, an industry leader in data security.

The FBI has said that the health care industry “is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely."

The annual security assessment by the Health Information Management Systems Society showed that about half of surveyed health systems reported spending 3 percent or less of their IT budgets on security. Some 54 percent of the 283 IT security professionals surveyed had tested a data breach response plan, and slightly more than half of hospitals had an IT leader in charge of securing patient data.

Nearly 1.84 million people have been victims of medical identity theft, according to a Ponemon report released last year, including 313,000 victims in 2013 — a 19 percent jump from the previous year.

The reluctance of the health care industry to spend serious money on cybersecurity may have grave consequences for patients. Time to up the game.

Hat tip to Alan Goldberg.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq