September’s largest single incident involved a ransomware that affected 58,000 records. While the overall number of breached records is down, the second half of 2016 is shaping up to be significantly worse than the first half when it comes to patient data security. September’s breach totals include several olympic athletes after the World Anti-Doping Agency (WADA) suffered from a hacking incident apparently at the hands of Russian cyber-espionage group, Tsar Team (APT28), also known as Fancy Bear. While this month’s patient records breached total (246,876) pales in comparison to this past summer’s total (20 million), it’s important to re-emphasize the ever-evolving threats to patient data and the misfortune that can occur when this information lands in the wrong hands.

The Institute for Critical Infrastructure Technology (ICIT), the nation’s leading cyber security think tank, hosted a briefing at the U.S. Senate Dirksen Office Building on their report published in September, “Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims.”It provides an up-close view into the deep web’s healthcare data markets, where hackers illegally sell records for hefty prices.  The report outlines the logic behind the valuation of health records and predictions on the future of healthcare cyber security.  It was co-authored by James Scott and Drew Spaniel with contributions from ICIT Fellow and Protenus Co-Founder/CEO, Robert Lord.  

National Cyber Security Awareness Month is here! Started by the US Department of Homeland Security and the National Cyber Security Alliance 13 years ago, it's a collaborative effort between government and the companies protecting patient privacy to ensure that all Americans have the necessary resources and knowledge to stay secure online. See the full calendar of events here.

The Dark Overlord made headlines earlier this year by advertising the availability of 9.2 million US hospital records on the Dark Web and selling them for 730 bitcoin, which is more than $450,000. Just a few weeks ago, Fancy Bear, a Russian cyber espionage group, exposed medical records of top olympians, revealing that they had received exemptions to use doping medications. Hackers receive a great deal of media attention because their tactics are deeply mysterious to the average person and frequently result in the exposure of thousands of records. However, one group’s activity potentially represents the biggest threat to patient data: insider snooping. These snoops are hospital employees who have access to the EHR and misuse this privileged access. They look at the medical records of colleagues, family and friends out of curiosity, for potential blackmail purposes, or a host of other reasons.

Patients most frequently interact with doctors, nurses, and allied health professionals, making it easy for them to forget about all of the other people that go into running a hospital. Among the many unseen activities that go on in healthcare, hospitals need teams managing patient data, submitting insurance billing, maintaining legal compliance in clinical trials, and ordering medical supplies, in order to properly operate. Compliance teams can work with patients to help them better understand how the healthcare organizations they visit monitor and protect their electronic protected health information (ePHI).