The year 2015 was known as “the year of the megabreach” and, given the year we’ve had so far, 2016 will undoubtedly be known as “the year of Ransomware.” These threats affect all organizations that have a computer connected to the Internet. The attacks are the same, the affected computers are the same, and the results are the same – well, mostly. Whether it’s the government, industrial control systems, or the financial, entertainment, or healthcare industries, attackers are agnostic. They don’t care what information you have or how it is stored; if they can turn it into personal gain, they will attack it.
There are frameworks and standards that are widely available to guide organizations to protect their valuable assets and information. These include COBIT, ISO 27002, U.S. Cybersecurity Framework, NIST 800-53, and the Center for Internet Security (CIS) Top 20 Critical Security Controls. These frameworks apply equally to all industries and can be applied uniformly across the board.
The bottom line is that healthcare information falls into its own special category and you need a unique approach that uses the best of health information security services to keep it secure – a regular approach to information security will not be enough.
Understanding the Landscape
Before going further, it is important to understand the healthcare industry landscape. Healthcare has largely made the transition from paper to electronic systems, however, the industry is still maturing when it comes to electronic data sharing and adequately protecting health information. We estimate that the healthcare industry lags about 10 years behind the financial industry in regards to technology adoption. While technology is enabling the healthcare industry to do much more than they could in the past, their systems and processes are still new and developing.
Unfortunately, the threat landscape has changed significantly over the last 10 years and, today, the healthcare industry is facing very real and very sophisticated risks. Understanding the difference between technological maturity and today’s threat landscape is critical to evaluating security risk and vulnerabilities in the healthcare industry.
While healthcare-specific regulations (such as HIPAA in the United States and PHIA in Canada) have existed for many years, most healthcare organizations have not achieved compliance. As government entities create health information exchanges and implement data sharing agreements, healthcare entities will need to demonstrate compliance to the published security requirements.
People’s Lives Are at Stake
When financial, personal, or confidential business information is breached, it is certainly inconvenient and can have major consequences for individuals and corporations, but when health information is breached, modified, or deleted, lives can be at stake. Research has shown that network-connected medical devices are commonly susceptible to compromise and are often not segmented from other systems on hospital networks such as workstations and laptops. This means that even simple malware could infect a workstation, resulting in compromised systems that are critical to keeping people alive and/or monitoring the health of individuals.
Similarly, unauthorized modification or deletion of health records can affect critical health decisions made by health professionals. The threat to this information is not just by outsiders, but also by motivated individuals within the organization. Insider threat must be accounted for when performing security risk assessment and determining appropriate security controls.
A Medical Record Has It All
When a credit card number is breached, the information has a limited lifetime. An attacker sells the number and the person who purchases it uses it to make an unauthorized purchase. Credit card brands and financial institutions are very good at detecting fraudulent activity and often the victim will detect it as well. After this happens, the credit card is quickly canceled and the number becomes useless. On the other hand, a breached medical record can contain all of the ingredients for a successful identity theft. This may include date of birth, address, phone number, SSN/SIN, email address, full face photograph, and health insurance information. Many of these items are not only useful in committing identity theft and insurance fraud, but unlike a credit card number, they are also hard or impossible to change. This means that once an attacker has the information, it has an unlimited lifespan.
The bottom line is that health information is far more valuable than financial information.
A full medical record, including health insurance policy numbers, can fetch up to $500 on the black market. This information can be used to not only procure health services, but also purchase pharmaceuticals and medical devices which can be resold for a profit. Where there is potential profit, the threat will exist.
Conclusion – Take Two Aspirin and Call Me in the Morning
With the number and size of healthcare data breaches increasing every year, it is critically important for organizations that create, maintain, and transmit health information to address the privacy and security of this information. Because of the increasing value of the information, the threat is growing and even small organizations are targets. Many healthcare providers have little or no information security experience, and it is often prudent to partner with organizations that specialize in information security consulting. When considering a partner for information security advice and services, it is important to ensure that the service provider has experience in, and understanding of, the healthcare environment and the threats, risks, compliance, and controls unique to the healthcare industry.
Learn more about Online Business Systems’ Risk, Security and Privacy practice by clicking here.