It seems as if hardly a week goes by without news of another data breach at a hospital, insurance company or other healthcare-related organization. Just a few weeks ago, my husband – along with thousands of other Microsoft employees – received a notice that our health insurance provider, Premera Blue Cross, had been the target of a cyberattack and our information could possibly have been compromised. The breach affected more than eleven million past and present customers across the US.
Medical records compromise some of an individual’s most sensitive information. Healthcare providers know things about our bodies and/or our states of mind that we might not want to share with even our best friends and closest family members let alone a complete stranger. The doctor-patient relationship is one of only a handful (including attorney-client, priest-penitent and spousal relationships) that are protected by law; in most jurisdictions, a physician can invoke this privilege and not be compelled to testify in court.
Another indication that the law recognizes the importance of confidentiality in this matter is the legislation such as the Privacy Rule portion of HIPAA (Health Insurance Portability and Accountability Act of 1996) in the United States, HIPA (the Health Information Protection Act) in Canada, the Data Protection Act in the United Kingdom, and similar statutes in other countries.
In fact, HIPAA compliance has been an ongoing challenge for IT professionals who work in the healthcare industry, and an entire industry has grown up around products and services designed to help organizations meet the HIPAA data protection requirements. This plethora of rules and regulations has led the public to believe that their medical secrets are safe, but the frequency of incidents indicates that this isn’t really the case.
In fact, according to Symantec’s annual Internet Security Threat Report, published this month, last year saw a 25 percent increase in health care organization incidents compared to 2013, with 116 of such incidents reported. That’s almost ten breaches every month. And that’s downright scary when you consider the different types of information that these companies store.
Axel Wirth, Symantec national healthcare solutions architect, explains; “Another situation that many healthcare providers struggle with are poorly patched devices, often running end-of-life operating systems. These highly vulnerable devices are a problem not because they are targeted, but because of their susceptibility to common malware.” These situations mostly have an impact on operations but Wirth says there has been cases where, due to malware infections on diagnostic equipment, emergency patients had to be routed to another hospital. The instances only serve to highlight the importance of keeping machines patched and updated.
Healthcare databases contain the usual personal info that identity thieves lust after: full names, home addresses, dates of birth, social security numbers, and payment information such as credit card or bank account numbers. But there’s so much more. Think about all those questionnaires you fill out at the doctor’s office that ask about your medical history and that of your ancestors.
Someone with access could find out about all health problems you’ve had, surgeries and treatments you’ve undergone, medications you’ve taken, whether you’ve ever consulted a psychologist or psychiatrist, whether mental illnesses run in your family, whether you’ve had an abortion or plastic surgery or bariatric surgery or been prescribed Viagra or antidepressants or have a heart condition … the list goes on and on. Healthcare reforms such as the ACA push doctors to ask even more invasive questions that aren’t necessarily at all related to your medical condition, such as whether you have an active sex life and whether you’ve used drugs in the past. Some physicians even routinely ask whether patients own a gun.
Now imagine what a criminal could do with all of that information. Identity theft would be simple. Frauds become far easier when you know that much about the victim. Blackmail is a very real possibility, especially for persons in the public eye or in powerful positions or in sensitive government jobs. Attackers can hold data for ransom or nation-states could even use the threat of exposure to convince government insiders to provide them with classified information.
Now you might argue that security breaches are increasing on all fronts, but the numbers speak for themselves: in 2014 there were approximately four times as many breaches in the healthcare sector as in the financial, government and education sectors. Some have suggested that another reason hackers are turning their efforts to the medical industry is because credit card companies are (finally) getting better at securing their information. But the comparative profit potential is undoubtedly another factor.
Stealing healthcare data is a lucrative practice; medical info is worth more on the black market than mere credit card information. That’s why it makes sense that so many healthcare organizations are being targeted by attackers, but that’s also what makes it particularly troubling. When you dig into the details, it gets even more worrisome. Symantec’s statistics show that almost half of the healthcare breaches – 44 percent – are caused by lost or stolen devices, and insider theft has increased by ten percent in comparison to the previous year.
In many cases, that translates to plain old carelessness. Physical security is the first and (should be the) easiest aspect of protecting confidential electronic information. Employees who work with sensitive data must be trained to treat their devices as highly valuable objects and protect them in the same way they would protect their wallets when carrying a pile of credit cards and a large amount of cash. Situational awareness is the key and it isn’t difficult, but it does require a change in mindset.
Loss and theft aren’t the only culprits, though. Even if information workers hang onto their devices, those devices can be breached when they aren’t diligently updated. Poorly patched devices are another major problem that makes the jobs of cyberattackers easier. This applies to both mobile and desktop systems. Many hospitals and doctors’ offices are still running old operating systems and applications that may have numerous security holes (and may even be beyond the support lifecycle). Others run more modern systems but fail to apply patches in a timely manner because of overworked IT staff or the fear that patching will cause functionality problems and downtime of critical systems that the organization can’t afford to have out of commission.
There is no quick and easy fix to this problem, just as there is no quick and easy fix to the larger problems within the healthcare industry, but it’s imperative that organizations start thinking about and addressing the issue sooner rather than later. Recent studies have shown that public trust in doctors and the healthcare environment has declined sharply over the last fifty years. If patients believe they can’t entrust their physicians and other medical professionals with their most sensitive information, both the industry and the patients themselves will suffer.
Good patch management practices – which can be greatly improved by using modern third party products and services such as GFI LanGuard – along with serious security awareness training for everyone who handles medical data would be a good first step.