February 25, 2015
Why Medical Records Are Easy to Hack
Medical records have made their way online, opening them to security leaks -- and can be 50 times more lucrative than financial data for thieves.
If hacked credit and debit card account numbers are like gold in the cyber underground, then stolen healthcare records, containing patient information, are like diamonds.
Private details such as Social Security numbers, birth dates, physical descriptions and patient account numbers historically have been recorded on paper and stashed away in physical file folders and cabinets.
But the Internet all too rapidly has become our hub of commerce and social interaction. And that shift has included a mandate by the federal government to go paperless. The result: Healthcare records now exist in digital form, stored in ways that make them easy to hack.
Infographic: The ripple effect of medical identity theft
The criminal opportunities have not escaped organized cyber crime gangs that are stepping up hacking and stealing.
The Ponenom Institute found that many healthcare organizations get attacked multiple times each year, suffering losses ranging from several thousands of dollars to more than $1 million per incident. The total loss to the industry can be as much as $5.6 billion annually.
“In the dark Internet, there seems to be more activity around the theft of medical information, not just to commit medical identity fraud, but to farm that data for a very long time (for other purposes),” says Larry Ponemon, chairman of Ponemon Institute, which has been conducting medical identity theft research since 2010.
Stolen healthcare data can be worth 10 to 50 times more than payment card data in the cyber underground. Electronic health records fetch around $50 per record, according to the FBI. Some experts put that number as high as $500 for some type of medical records.
Credit and debit card numbers, by contrast, can sell for as little as $1 to $2 per account number.
“There’s an enormous online marketplace for these records,” says Kurt Stammberger, senior vice president of marketing at Norse, a security company that monitors malicious and criminal Internet traffic. “It’s like eBay — people bid, and there’s a ‘buy now’ price.’ ”
Healthcare companies are taking major financial hits—and writing off this exposure as an extraordinary cost of doing business. Details on the pain level for breached companies are surfacing, thanks to data breach disclosure rules under the Healthcare Insurance Portability and Accountability Act (HIPAA.) For instance:
- WellPoint, a managed-care company, settled a case with the U.S. Department of Health and Human Services for $1.7 million last year. WellPoint allegedly left electronic records of more than 600,000 people accessible over the Internet because of a security weakness.
- New York and Presbyterian Hospital and Columbia University agreed to a $4.8 million settlement earlier this year after substandard security led to 6,800 patient records becoming accessible by search engines online.
Individual consumers are getting harmed financially, as well, to the tune of $12.3 billion last year. Ponemon’s 2013 Survey on Medical Identity Theft found that more than one third of victims paid an average of $18,660 out of pocket to recover from data theft. That included being compelled to reimburse healthcare providers for services supplied to an impersonator.
Healthcare experts, privacy advocates and law enforcement officials acknowledge that the fundamental problem is mushrooming and won’t be easy to stabilize.
Part of the challenge is financial. The Affordable Care Act mandates that providers expend 80% to 85% of premiums on quality care—and that doesn’t include any provisions to prevent services from going to an identity thief.
According to Forrester Research, only 18% of healthcare organizations’ tech spending budget goes to security, compared with 21% across all sectors. And most providers plan a minimal or zero increase in budget.
“The mission of healthcare providers is to take care of patients, and anything that can interfere with patient care takes a back seat,” says Paul Asadoorian, product-marketing manager at vulnerability management vendor Tenable Network Security. “Security is one of those things.”
Meanwhile, individual victims of healthcare data theft can be left twisting in the wind.
The financial services industry maintains a central database where stolen identities can be flagged; the healthcare industry has nothing of that sort. In fact, it even lacks a simple standard for authenticating the identity of anyone who steps forward to request patient care.
There is no standardized practice for assuring the identity of a patient via an insurance ID card combined with another form of ID, observes Ann Patterson, senior vice president and program director for Medical Identity Fraud Alliance (MIFA). “That poses challenges for healthcare providers, when their main concern is quality of care,” Patterson says.