A Virtual Goldmine: Why Criminals Target Patient Data (Part 1)
by Robert Lord, Co-founder, Protenus on February 8, 2017
The healthcare industry is under siege.
Health data breaches of patient information have become all too common, with both external and insider threats trying to gain access to patients’ electronic health records (EHRs), and it does not appear that the number of attacks will ease up anytime soon. But this begs the question: Why are EHRs so vulnerable to attack? And why do criminals target them in the first place?
We are going to dive into the world of EHRs and examine what makes them so vulnerable and so valuable and examine how EHRs need to be easily and widely accessible, how healthcare organizations have fallen behind when it comes to EHR cybersecurity, and how criminals have created sophisticated attacks in order to steal EHR data, patient ePHI, and sell them for profit.
Better understand your organization's approach to protecting patient data in the EHR by reviewing our Patient Privacy Primer - knowing where your organization is today can help you better protect patient data for the future.
Why Criminals Target Patient Data —
The Black Hole of Access and Patient Data Security
One of the main reasons that patient information is so difficult to protect is that, within a healthcare organization, the EHR must be easily accessed and widely available, especially in the case of emergencies. In order to make records easily accessible, employees use many different systems and devices – including computers and mobile devices – to access the EHR. Moreover, third party vendors, such as equipment and drug suppliers, as well as insurance companies often have minimally necessary access to ePHI. As a result, a wide range of organizations and people, using a wide range of systems and devices, have the ability to access EHR data. This also means that it is much more difficult to ensure patient data security because criminals have so many access points which they can exploit to gain access to this plethora of information.
Health data security becomes even more complicated with the transition from paper to electronic health records. While this switch has undoubtedly benefited the healthcare industry by making it easier to share patient information between healthcare providers, it does have some drawbacks. Government mandates, including the Affordable Care Act, compelled healthcare organizations to adopt electronic health records, even when those organizations did not have the resources to provide sufficient security for them. Unfortunately, this has left many EHR systems vulnerable to criminal attacks, which has become a consistent easy target.
Budget and Innovation Leave a Gaping Hole in EHR Cybersecurity
This problem is further compounded by the fact that healthcare organizations have lagged behind in putting proper security measures in place, leaving the EHR vulnerable to both insider and external threats. A KPMG study estimated that healthcare organizations can spend as little as one-tenth what other industries spend on security. Thus, healthcare organizations are simply not prepared for the sophisticated threats that criminals are launching against them. For instance, many healthcare organizations do not encrypt patient data, either when it is at rest or in transit, meaning that when the EHR are breached, criminals have direct and immediate access to the information. Similarly, many organizations do not have a privacy analytics platform in place to monitor the EHR for insider threats, such as hospital employees who access patient data without authorization or criminals who use stolen credentials to compromise patient information.
Ransomware Is Just the Tip of the Iceberg
Ransomware attacks are a good example of the level of sophistication that cyber criminals are using against healthcare organizations. In a ransomware attack, the criminal holds the EHR for ransom by hacking into the system and encrypting the information in order to prevent an organization from accessing it. The criminal will then demand a ransom – usually in untraceable bitcoin – in exchange for the decryption key. Healthcare organizations are particularly vulnerable to this type of attack due to the sheer necessity of this information - without it, lives could be in jeopardy. It should come as no surprise that ransomware attacks are becoming more common and more deadly, with 88% of all ransomware attacks targeting healthcare organizations.
Percent of Ransomware by Industry
Hollywood Presbyterian Medical Center experienced the effects of a ransomware attack firsthand in March 2016, when criminals prevented the medical center from accessing its EHR for an entire week until the hospital paid the hackers $17,000.
However, some criminals are adding an additional layer of complexity to their ransomware attacks by using such attacks as a diversion. When a ransomware attack occurs, law enforcement and security officials often focus solely on dealing with the ransomware itself, leaving the rest of the system vulnerable which allows criminals to access patient records and secretly exfiltrate them. Even if a hospital has backups of its patient data and is able to restore it or if it simply pays the ransom to get the records back, it has no way of knowing how many records were exfiltrated while the criminals held the information for ransom.
The Real Victims
Ransomware attacks are just one example of how criminals are making their attacks more sophisticated and more deadly. If healthcare organizations continue to delay putting proper security measures in place to protect its EHR, it will find itself in the headlines for all the wrong reasons. On the other hand, if organizations get serious about patient privacy, they will require a layered security posture to protect their EHR system from a variety of threats from internal and external sources. When an organization fails to implement these measures, it is often the patients who pay the price.
Victims can easily spend thousands of dollars and hundreds of hours simply trying to put their life back together. It’s imperative for healthcare organizations to become proactive in monitoring and protecting their patient data, the sooner a breach is discovered the sooner organizations can mitigate the risk of catastrophic damage being done to their reputation but more importantly to their patients’ lives.