The Institute for Critical Infrastructure Technology (ICIT), the nation’s leading cyber security think tank, hosted a briefing at the U.S. Senate Dirksen Office Building on their report published in September, “Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims.”It provides an up-close view into the deep web’s healthcare data markets, where hackers illegally sell records for hefty prices. The report outlines the logic behind the valuation of health records and predictions on the future of healthcare cyber security. It was co-authored by James Scott and Drew Spaniel with contributions from ICIT Fellow and Protenus Co-Founder/CEO, Robert Lord.
Protenus CEO, Robert Lord briefing the U.S. Senate
At the briefing, eight leading cyber security and healthcare experts - James Scott, Leo Scanlon, Dr. Ron Ross, Ryan Brichant, Rob Bathurst, Don MacLean, James McNary and Robert Lord - came together on two panels to discuss key points from the report. Panelists shared their expertise on the deep web and its actors, discussed the role of cyber threats to health IT in healthcare from both private and public sector perspectives, and recommended steps hospital leaders can take to enhance patient data security ultimately protecting ePHI.
Stolen patient data can cost healthcare institutions millions of dollars, and damage the lives of affected patients. Download our cost of a data breach white paper to understand the how much a data breach costs.
Top Five Takeaways from the ICIT Briefing on Cyber Security for Healthcare
The sessions yielded five key takeaways when it comes to protecitng patient privacy in the EHR in an era of evolving and growing threats.
1) The frequency of data breaches is increasing.
Protenus’ CEO Robert Lord noted that 39% of all cyber attacks affect healthcare and 113 million records were breached in 2015. Hackers earn more money from selling health information on the dark web than any other type of data. A single stolen medical record containing a patient’s medical diagnoses, social security number, address, and billing information can sell for hundreds of dollars. Beyond this, hackers can formulate new identities using this hard-to-change information to perform billing and prescription fraud, and even alter patients’ diagnoses and prescriptions in the EHR.
Watch a 20-second video on the scope of data breaches in healthcare
2) Investment in health data security lags investments in the digitization of health records.
The panelists hypothesized why we see technologies designed to protect patient privacy implemented at an underwhelming scale despite widespread digitization of patient records. One explanation is that although $30 billion in incentives has been awarded to healthcare institutions over the past 8 years to support EHR implementation, very little of this has been allocated to privacy and security. The panelists called for the government to institute new federal incentives programs dedicated to security initiatives.
Watch a 50-second video on healthcare incentives
3) Health cybersecurity postures are often reactive.
Panelists explained how security investments have historically been viewed purely as a cost center, at least until a breach occurs. Owners of security programs need to own a seat at the boardroom table, and C-suite executives need to understand that security plays a critical role in providing high-quality patient care.
Watch a 45-second video about privacy in the Board room.
4) Employee snooping in the EHR is the top threat to electronic health records.
The panelists acknowledged insider snooping as the top threat to keeping patient health data safe. Similarly, hospital leaders also recognize insider snooping as the top threat, putting providers at-risk of needing to pay thousands of dollars in HIPAA fines, one of the many costs associated with a privacy breach.
Watch a one-minute video on the threat of insider snooping
5) Organizations must begin the effort to organize resources to quickly detect and resolve breaches as the best way to protect hospital medical records.
Security leaders need to take stock of where their program is, and formulate next steps based on a realistic assessment of the largest unmanaged threats they currently face. If a hospital just hired a CISO, their next best step will be different from one that has a large privacy and compliance team and fully-formed breach response plans. Reviewing research including the Breach Barometer can help prioritize where the biggest threats to patient data lie.
Click video to watch the full 25-minute video of the briefing at the U.S. Senate
As Dr. Ron Ross of NIST put it, the security and privacy the healthcare industry enjoyed in a paper-based world no longer exist, and now we need to face the new challenges associated with digitized patient records. While the panelists stressed that our nation faces an impending privacy crisis if we continue down the current path, they were hopeful that existing solutions have the potential to divert us to a more hopeful path.
To understand how our patient privacy monitoring platform can keep your patients’ health data off the dark web and how we’ve transformed leading institutions’ such as Johns Hopkins approach to patient privacy monitoring. Download our Johns Hopkins' case study here.