Cyber-Criminals Target Health Care Information

By Jared Rhoads

Consumers entrust health care providers with some of their most sensitive personal information, and they have high expectations that this information will remain private and secure. However, the incentives for cyber-criminals to exploit weaknesses and vulnerabilities for financial gain are sizable, and industry preparedness is, at best, spotty.

According to the Department of Health and Human Services, more than 19 million people have had their health information compromised in some form since the new Health Insurance Portability and Accountability Act (HIPAA) breach notification rule went into effect a few years ago. While many of these breaches are attributable the loss or theft of laptops, thumb drives and other physical data storage devices, instances of cyber-infiltrations are on the rise, and the potential for damage to real-time facility operations is far greater.

In their search for easy prey, cyber-criminals typically attack smaller, less well-defended targets such as small-practice offices, clinics and community hospitals. The craftiest hackers cover their tracks after a breach, so victimized organizations don’t discover the damage until weeks or month later.

Meanwhile, patients who are victims of data breaches have more to cope with than just the invasion of their privacy. According to a 2012 study by Verizon, most hackers who infiltrate health IT systems are primarily seeking to exploit the financial data associated with electronic health records.

Cyber-criminals typically extract the information and sell it to a third party for use in various organized schemes involving identity theft, insurance fraud or outright financial theft. According to recent estimates, a stolen medical identity now has a street value of $50, compared to $14-$18 for a stolen credit card number and just $1 for a stolen Social Security number.

Health care organizations need to modernize their approach to cyber-security with an integrated strategy that addresses current threats and tackles the ever-changing landscape. At the most basic level, organizations must first address known problems and implement basic safeguards, such as disk encryption, network monitoring, network segmentation and use of a data enclave. Then, to deal with always-evolving information technology and security needs, organizations should develop (or partner for) the specialties and resources to handle new risks as they emerge.

For starters, organizations should conduct a comprehensive risk assessment to identify the gaps between their current practices and industry best practices. While doing a risk assessment, organizations can also ensure compliance with federal and state laws, including HIPAA, although these regulations should always be taken as a floor for capabilities, not a ceiling.

Organizations should also develop an explicit strategy for combating threats and responding to incidents, and document their reasons for addressing potential risks the way they have. In the event of a federal HIPAA audit, such documentation is critical.

Anticipating new threats is a bigger challenge. Given the resources, skills and motivation of cyber-criminals, the number of organizations that can adequately conduct their own security overhaul without outside help is small. New options, however, are emerging that can provide the requisite expertise and resources to rival the hackers in sophistication.

One option is the use of a managed security service provider (MSSP). Under this model, a health care organization can outsource all or part of its IT security function to an external security specialist, receiving around-the-clock network monitoring, incident tracking and immediate incident response. These firms use sophisticated hardware and software to supplement an organization’s security infrastructure, while allowing normal communication channels and data resources to remain usable.

Security is complicated and it’s a moving target. However, with the right technological tools, security concerns need not hinder an organization’s growth or prevent it from using data assets to improve care delivery, quality and financial performance.

Jared Rhoads is a senior research specialist in the Global Institute for Emerging Healthcare Practices, the applied research group of Computer Sciences Corp.’s health care division.