Security

What Happens to Stolen Healthcare Data?

As patients demand increased security for their medical records, healthcare organizations face an uphill challenge to protect the data.

Andrew Steger

Andrew is the web editor for HealthTech magazine. His experience includes marketing for a major IT services company and digital strategy for WashingtonExec.

Year after year, data breaches are becoming an increasingly critical issue for the healthcare industry. Nearly 32 million records have been exposed through June of this year alone —more than double the number for 2018.

“Health information is a treasure trove for criminals,” Tom Kellermann, chief cybersecurity officer of Carbon Black, tells HealthTech. “By compromising it, by stealing it, by having it sold, you have seven to 10 personal identifying characteristics of an individual.”

It’s no surprise, then, that the high value of medical records on the dark web has surpassed that of social security and credit card numbers. These records can sell for up to $1,000 online, depending on the completeness of the information contained within, according to Experian.

Despite this seemingly high profitability, the reality remains that cybercriminals typically seek more nefarious outcomes from a breach, which poses the larger question: What happens to stolen medical records once they’re in the hands of a cybercriminal?

What Threats Are Associated with Stolen Patient Data?

Although stolen health data can be used to carry out a variety of crimes, two scenarios are detrimental: leveraging details specific to a disease or terminal illness, and long-term identity theft.

“Traditional criminals understand the power of coercion and extortion,” Kellermann says. “By having healthcare information — specifically, regarding a sexually transmitted disease or terminal illness — that information can be used to extort or coerce someone to do what you want them to do.”

Often, this will result in a financial payoff extorted from the hacked individual, Kellermann notes. But what concerns him more is the potential for, and consequences of, medical identity theft.

With traditional identity theft, banks and the Social Security Administration are able to contain some instances by changing details, such as account or social security numbers. However, because health data can’t be changed, identity theft can have long-term ramifications that go beyond the typical hazards.

“I'm not merely mentioning the creation of a new credit card account,” Kellerman says. “I'm talking about more serious and heinous identity theft, like tax fraud and home equity loan fraud, which is growing dramatically in the U.S. It’s quite lucrative, obviously, and important for cybercriminals to have all the various identifying information about someone that is held in the records associated with health.”

CBS News recently reported on the lasting damage of medical identity theft. Brandon Reagin, who fell victim in 2004, tells the news outlet that “it was quite a tumultuous decade of a mess.”

Someone impersonating the young Marine was supposedly stealing vehicles and having multiple medical procedures done, the outlet reported. When the healthcare systems approached Reagin for payment, the bills totaled nearly $20,000.

Reagin attempted to solve these issues by removing them from his credit report, but the fight hasn’t ended; charges reappear with each new billing cycle.

What Makes Healthcare Data Vulnerable to Attack?

Gary Cantrell, head of investigation at the Department of Health and Human Services Office of the Inspector General, told CBS that medical identity theft is something he sees often. Last year, the agency dealt with roughly 400 reported cases of medical data breaches. Some of that data ended up for sale on the darknet.

Despite knowing data has been compromised, investigators don’t always know how or when it will be used, Cantrell says.

Kellermann argues there’s a reason why these breaches occur in healthcare so often: The industry has some of the worst cybersecurity practices worldwide.

“Organizations are far too reliant on firewalls and encryption, neither of which can stop modern-day cyberattacks,” Kellermann says. “The big challenge with the entire governance of the healthcare sector with regards to cybersecurity, is that there are physicians who run the board, who run various departments. And these folks are very astute when it comes to medical knowledge but not quite prepared to handle the risks of IT and IT deployment.

“When they're deploying IT left and right with mobility, Software as a Service and cloud, and yet only protecting it with encryption, they leave themselves wide open to attack.”

Just as patients who walk into a physician’s office or a hospital should expect a clean, safe environment, they should have the same expectations for the facility’s digital landscape.

Says Kellermann: “The irony here is that these digital transformation efforts are spreading virtual disease, which in the long-term not only inhibits operations, it causes this phenomenon I would call digital disease among customers — where their identities are stolen, and they are extorted because their personal information has been released.”

How to Minimize the Possibility of Stolen Medical Data

For patients, the consequences of having their protected health information stolen, sold and used to create fake claims in their name can be violating and have a major impact on their future care decisions. When healthcare organizations fail to protect patient data, they risk losing the trust of their patients and, ultimately, their reputation.

A constant evaluation of security practices has become imperative for healthcare organizations hoping to avoid the possibility of a breach. Introducing practices such as application control and privileged access management can help organizations take a step in the right direction, protecting their data in ways where basic encryption might fall short.

“Administrators shouldn't have administrative privileges at all times,” says Kellermann. “Even though they’re administrators, they should only have just-in-time administration for a specific purpose or use. Hackers are very smart, and they’ll target all administrators and superuser accounts when they go after an infrastructure because they know those people have the keys to the castle.”

The most important data for an organization, however, is often collected and delivered by endpoints. Moreover, this is where breaches are most likely to happen due to their contact with users — typically seen as a “weak link” in an organization’s security strategy — and the ever-increasing number of Internet of Things devices being added to networks.

Having an endpoint protection platform is critical for security teams to take an active role in combatting cyberattacks. Effective defense, Kellermann notes, should have three things:

“It should have behavioral anomaly detection,” he says. “It should be able to capture all the data or all of the phenomenon that’s occurring on an endpoint and allow you to store that so you can look back in time to understand the root cause of that of that criminal activity. And it should have the capacity to have an open API so you can connect to other security controls or mechanisms that you have that predate your modernization efforts, or postdate it for that matter.”

Still, security practices only work if everyone is on board. It’s important for all healthcare staff to receive regular security awareness training to help stop cyberattacks before they happen. Healthcare employees are almost as likely to report an incident as internal security teams.

As for patients hoping to increase their own personal security, Kellermann offers the following advice: Keep your data close.

“When you enter a new facility or a new physician's office, you're not required by law to provide your Social Security number, so don't,” he says. “Start there, and basically minimize the information you're putting out.”

Tero Vesalainen/Getty Images