Let’s start with the good security news: Chip and PIN technology are making a difference. In 2015, the number of compromises was at a four-year low: 5.7 million (2016 IBM X-Force Threat Intelligence Report).
Now the bad news: Cybercriminals—rather than invest time and money trying to figure out how to defeat Chip and PIN—started targeting the healthcare industry. Besides avoiding Chip and PIN, there’s significant incentive to steal Electronic Healthcare Records (EHRs).
In this Pittsburgh Post-Gazette article, Rich Lord quotes David Dimond, chief technology officer of EMC Healthcare, a Massachusetts-based technology provider, as saying, “The value of personal financial and health records is two or three times (the worth of financial information alone) because there are so many more opportunities for fraud. Combine a Social Security number, birth date, along with some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care.”
And it just keeps getting better for the bad guys. In their white paper Your Life, Repackaged and Resold (PDF), authors James Scott, Senior Fellow, and Drew Spaniel, Researcher, from the Institute for Critical Infrastructure Technology write, “Hackers realize that it is simple to cancel a credit card, difficult to change a social security number, and nearly impossible to change all of the information in an EHR.”
What is the fallout from an EHR data breach?
When a healthcare organization is breached, besides having patient data out in the wild, the company likely:
- Gets fined
- Suffers loss of reputation
- Loses investor, employee, and patient support
- Faces litigation or lawsuits
However, Scott and Spaniel admit, breached companies usually recover and move on. That is not the case for the innocent victims whose EHRs were stolen. “When a healthcare system is breached, and patient records are stolen, patients may be forced to suffer the impact of the incessant exchange of their immutable physical details on Dark Web markets for the rest of their lives,” write Scott and Spaniel. “All due to a healthcare organization’s lack of prioritization of cyber security and cyber hygiene within their business.”
Mostly, victims face potential financial ruin and have no recourse to change or cancel the information contained in the stolen EHR. To put it simply, once a hacker owns an EHR, they effectively own the victim.
Not crying wolf
Sadly, this is not a journalist claiming gloom and doom; 2016 has been a banner year for the Dark Web. “In June 2016, a hacker using the moniker ‘thedarkoverlord’ listed three healthcare databases containing 655,000 EHRs on TheRealDeal marketplace,” mention Scott and Spaniel.
The authors go on to state that thedarkoverlord individual/s contacted each victim organization offering to sell back the data, and none of the businesses contacted paid the ransom.
What can be done?
Since direct attacks against EHR databases are relatively new and something that touches each one of us, Scott and Spaniel talk about what, if anything, can be done to reduce or eliminate the fallout from an EHR data breach.
Currently, there is little in place to remediate victims. “There is no convenient number or organization to call or report suspicious activity, and change healthcare information,” write Scott and Spaniel. “Stopping the damage, disputing charges, and correcting records can consume all of a victim’s time and energy. Frustrated victims eventually give up and pay the bills.”
Warning: Tainted EHRs
And to make matters worse, Christina Farr in her Fast Company column On The Dark Web, Medical Records Are A Hot Commodity states, “Important information on the patient’s medical record will often be deleted, like an allergy to penicillin, or new entries added. In some cases, it’s intentional. But it’s more often a by-product of the theft. For this reason, the World Privacy Forum issued a lengthy report that calls it ‘the crime that can kill you.'”
Scott and Spaniel explain that the likelihood of victims’ records becoming tainted significantly increases if the hacker sells the medical identity to multiple buyers, cautioning, “Many victims would not know if there is misinformation intermingled in their records because patients do not see their EHR.”
SEE: Identity Theft Policy (Tech Pro Research)
In their conclusion, Scott and Spaniel do not mince words, saying, “Regardless of how the patient record is abused, the victim patient bears the majority of the long-term impact of the compromise of a system that they had no decision of how to protect, all so that the compromised organization can save budget or procrastinate updating or replacing their Frankensteined legacy technologies.”