Perhaps this is a question you have never thought to ask, and before April of 2009 it was not even in the realm of curiosity for me either. But as I entered Urgent Care for what I thought might be bronchitis or something similar, only to be asked by the medical assistant, “Do you know you are yellow?” my world was immediately turned upside down. A trip to the ER and several other doctor’s visits and blood tests later confirmed I had Hepatitis C.

It is no secret that electronic health records (EHRs) are incredibly valuable. One needs to only look at the number of cyber attacks that target healthcare organizations as proof that those records contain extremely valuable patient information.

The healthcare industry is under siege.

Health data breaches of patient information have become all too common, with both external and insider threats trying to gain access to patients’ electronic health records (EHRs), and it does not appear that the number of attacks will ease up anytime soon. But this begs the question: Why are EHRs so vulnerable to attack? And why do criminals target them in the first place?

Over the past few weeks, we focused our “Patients at Risk” series on the various threats that hospital insiders present to patient data. Now, we are shifting our attention to ones stemming from external parties.

The Dark Overlord made headlines earlier this year by advertising the availability of 9.2 million US hospital records on the Dark Web and selling them for 730 bitcoin, which is more than $450,000. Just a few weeks ago, Fancy Bear, a Russian cyber espionage group, exposed medical records of top olympians, revealing that they had received exemptions to use doping medications. Hackers receive a great deal of media attention because their tactics are deeply mysterious to the average person and frequently result in the exposure of thousands of records. However, one group’s activity potentially represents the biggest threat to patient data: insider snooping. These snoops are hospital employees who have access to the EHR and misuse this privileged access. They look at the medical records of colleagues, family and friends out of curiosity, for potential blackmail purposes, or a host of other reasons.