The price of leaked medical records (the worth of it)

While it may be obvious to many people that health records constitute some extremely sensitive data, the commercial value of these records is probably less well-known. Yet the price of leaked medical records, and its value on the black market is becoming an increasingly weighty issue for healthcare organisations to deal with.

Data Breaches

A new study published in the Journal of the American Medical Association in September 2018 noted that annual health data breaches increased by 70% between 2010 and 2017. And much of this emanates from the fact that nefarious individuals wish to steal this information in order to sell it on, due to its commercial value. This is a whole new field for many people, yet it is one that hospitals are ever more frequently required to deal with.

And the nature of the Internet means that this threat is emanating from multiple locations. This is very much a global issue, with healthcare organisations needing to deal with hackers and rogue individuals from all over the planet. For example, the FBI has warned healthcare provider to guard against cyber attacks, after one of the largest US hospital operators, Community Health Systems Inc, was penetrated by Chinese hackers.

$3 trillion value

With the US healthcare industry alone worth $3.3 trillion in 2016 according to CDC figures, it is obvious that there is a huge amount of commercial potential for criminals in stealing records. Yet the IT equipment used by healthcare organisations is often inadequate. Many hospitals rely on ageing computer systems, which do not use the latest security features. This would be bad enough in itself, but attackers are constantly discovering new methods to break down even existing defences.

Data sold on the black market can include such aspects of our health information as names, birth dates, policy numbers, diagnosis codes, and billing information, and fraudsters can use this data in order to create fake IDs and to engage in the highly irritating and damaging process of identity theft. False claims can even be made with insurers, and once this information is stolen it literally opens a Pandora’s box for the individuals involved.

Difficult to Trace

And another issue is that medical identity theft can be incredibly difficult to detect. Identity theft in itself can be tricky to pick up on if people are not diligent about their credit rating and files. But medical identity theft really can go undetected for quite some time, providing criminals with several years to take advantage of such credentials. This means that medical data is actually even more valuable than credit card data, underlining the importance of securing it adequately.

Basic stolen health credentials are worth around $10 each, which is approximately 15 times the value of an American credit card number, according to intelligence at PhishLabs. Hackers use underground exchanges on the dark web in order to sell the information, with the data becoming increasingly more valuable.

The dangers involved are reflected in the number of healthcare organisations reporting cyber criminal penetration. This figure doubled in the four-year period between 2009 and 2013, according to annual fraud statistics compiled by Kroll, the investigations agency. Data protection is clearly becoming far more challenging for healthcare organisations, and this means that all personal data is potentially under threat.

Increasing Awareness

Hospitals are becoming increasingly aware of this danger, with chief information officers involved in healthcare organisations fending off thousands of attempts to penetrate the networks on a weekly basis. And the cost to our healthcare system of such perpetual attacks, and frequent breaches is undoubtedly massive.

It is difficult to put a precise figure on at this, as healthcare providers and insurers are not required to disclose data breaches that affect less than 500 people. Equally, there are no laws currently require a criminal prosecution, meaning that the total cost of cyber attacks on the healthcare system is difficult to quantify. But the amount of money involved is certainly passed on to healthcare consumers as part of what seem to be inexorably rising health insurance premiums.

So what are hospitals and other healthcare organisations doing in order to fight back? Well, there are a variety of security measures available, and probably the most important of these is the installation of a virtual private network (VPN). These help block internal systems from hackers and encrypt data, and even some of the best free VPNs will massively improve security. With home users increasingly using VPNs, there is no excuse for commercial organisations to be without them.

Better Encryption

Aside from the encryption offered by VPN providers, hospitals are also implementing complex encryption systems as well. Any reputable healthcare organisation will be using such technology as SSH for administrative functions, GPG for email, and SSL for web serving of ePHI. Encryption is so sophisticated, it does mean that even if data is stolen it can often be kept so firmly under lock and key that it is impossible to decipher.

Firewalls and network segmentation are also useful techniques used by healthcare organisations. Firewalls help to block inbound connections, while network segmentation ensures that even if there is a data breach, hackers are prevented from accessing all aspects of a system. Intrusion detection systems can also help to alert IT personnel when unexpected and suspicious activity is manifesting itself within a system.

HIPAA compliance

And it is vital for healthcare organisations to understand and adhere to the Health Insurance Portability and Accountability Act (HIPAA). This means keeping all employees up-to-date with the importance of security and being compliant with internal policies. This can often necessitate a raft of internal training, which should be an ongoing process. Ultimately, any healthcare organisation is only as secure as its least safety conscious employee.

Data theft in healthcare organisations, and the leaked medical records that result from this will only become a bigger hot potato issue in the years to come. In this climate, it is absolutely incumbent upon hospitals and other actors within the healthcare system to ensure that they secure data responsibly. This is in everyone’s interest considering the value of this information and the number of criminal gangs now trying to steal it.