This is the first in a series of articles looking at how the cybercrime wave is affecting different industry sectors. This first article will look at our healthcare industry. Healthcare is arguably one of the most information intensive sectors. During any individual interaction with a healthcare service, a multitude of data is created, shared and stored. Electronic health records (EHR) contain enormous amounts of information about us: from personal details, such as name, address and our age, to medical data for past, present and potentially future physical or mental health issues, to financial details. It is a very rich source of information making the healthcare industry a prime target for cybercriminals.
IBM’s X-Force in their 2016 Cyber Security Intelligence Report stated that healthcare is the “most frequently attacked industry”. 2015 it seems has been the year of the healthcare breach. Most of the serious healthcare breaches since 2010, took place in 2015. This included:
· Anthem: Almost 80 million records breached
· Premera Blue Cross: 11 million records breached
· Excellus: 10 million
· University of California, Los Angeles Health: 4.5 million
· Medical Informatics Engineering: 3.9 million
Any organization that has a breach that involves 500 or more records has a legislative obligation to inform the Office of Civil Rights under Health and Human Services (OCR). The breach is then posted to a website, jokingly called the ‘wall of shame’ for the world to see. According to the information found at the OCR website, in 2015 over 112 million healthcare records were breached.
All of the above incidents were, according to the OCR site, caused by a “hacking/IT incident” on a “network server”. The likely reason behind the breach was to steal medical records and this is because medial information is valuable. According to a Ponemon study, 2015 Costs of Data Breach, a U.S. medical record is worth, on average, $368 compared to a mean of $217 for other record types. This makes the healthcare industry a very lucrative target for a cybercriminal, who can sell these data on the dark web. And the data theft doesn’t stop there. Once stolen, personal data is used for social engineering attacks against individuals. It is also used for secondary attacks, like the IRS breach where personal data is used for verification purposes; in the IRS case, to make fraudulent tax claims. Stolen PHI is the gift that keeps on giving.
In 2016 we are seeing a possible change in the tactics used by cybercriminals against healthcare, away from pure data theft, to cyber extortion. There has been a spate of ransomware attacks against healthcare organizations in the U.S.
A recent report by the Health Information Trust Alliance, found that 52% of the healthcare organizations interviewed in the U.S. has been a victim of ransomware.
Healthcare is one of the industries that have specific legislation protecting individual data. In the healthcare industry this is known as Protected Health Information or PHI. PHI covers a gamut of data, including personal identifying information (PII) such as name, address, age and so on. It also includes medical data that relates to physical or mental health issues in the past, present or future. It also includes details such as biometrics, device identifiers and DNA. PHI is protected under the Health Insurance Portability and Accountability Act (HIPAA), brought in to protect the security and privacy of health data.
The Health Information Technology for Economic and Clinical Health Act or HITECH, was an act originally introduced to set the framework for electronic health records (EHR). It helps to extend the reach of HIPPA in term of protection of health data. An extension to HITECH, section 13407, which is enforced by the Federal Trade Commission (FTC), has brought the supply chain into focus. This clause specifies that the rules of data protection and privacy covered by HIPPA covered entities, now extend to all third party business associates, including contractors and sub-contractors, that have anything to do with health data handling. This creates a chain of organizations that have strict rules applied to how they must manage the security and privacy of the health data under their remit.
Healthcare is always going to be a prime target for cybercrime because the industry is a data innovator. Data is used as part of its prime objective, to care for us, but also to build better procedures and healthcare outcomes. The healthcare industry is one of the early adopters of Cloud based big data sharing. The Google Genomics project, for example, allows medics and researchers from across the globe to share genetic information.
Healthcare is also embracing disruptive technologies such as mobile and the Internet of Things (IoT). Analysts MarketsandMarkets are predicting the healthcare IoT market to be worth around $163 billion by 2020. IoT devices are being used across the healthcare ecosystem from individual wearable’s relating health data to the Cloud, to medical devices used within a hospital context – the FDA now being fully on-board with the use of IoT devices in a medical context. As for mobile, a study has shown that at least 87% of physicians use a mobile device for work related tasks.
With all of this data being generated across an increasingly diverse and interconnected playing field of devices and Cloud platforms, healthcare is a cybercriminals dream. With HIPPA and now the extended HITECH ruling on third party ownership of data security, it has never been a more important time for the healthcare industry, and its extended supply chain and partners, to step up to the plate and create a healthy cyber security strategy.