Healthcare Data and Cybercrime – the New Cybersecurity Battlefield
Picture a doctor’s office back in the 1950s. It’s nighttime—everyone has gone home and the halls are dark. A masked thief pries open a window and crawls in. He sees the locked glass cabinet filled with valuable drugs—and walks right on past. He’s got no use for the drugs—he’s here to snatch a crateful of medical records!
Crazy scenario. It seems unlikely that Eisenhower-era cat burglars broke into medical offices to get their hands on a bunch of manila folders. But something very much like that is going on today. Medical records are indeed being stolen, but these files are made of ones and zeroes.
So much of our healthcare data is online today in the form of electronic health records (EHR). Though this has opened up all sorts of efficiencies for healthcare providers, it also has introduced a new risk. All of this data is just asking to be hacked by black-hat, parasitic hackers. Actually, it doesn’t need to ask—healthcare cybertheft is becoming an epidemic. 2014 saw two major data breaches affecting as many as 89 million patients. In those cases, affiliates of Blue Cross Blue Shield were attacked by still-unidentified cybercriminals who made off with massive amounts of personal data.
You might ask why hackers want to know whether you’ve ever had your spleen removed. For the most part, they don’t. They want all that other data—your social security number, your mother’s maiden name and so on. (But in theory, even your spleen history could be valuable to, say, unscrupulous insurers.)
Byte for byte, healthcare data is even more valuable on the black market than credit card numbers. Hackers can use it for identity theft, of course, but also corporate extortion. It isn’t beyond reason for a high-profile company to pay a moderate ransom to retrieve its data quietly rather than suffer the customer backlash and public relations fiasco of announcing a breach.
Physician practices and healthcare systems have labored mightily over the past decade to convert their records to EHR. Now more than 91{61194e7afa0946242429d3457858805d5d8e9f1e3c2fa6ff4cb841084e122ca3} of hospitals have adopted at least the basic technology. While electronic records offer obvious advantages to both patients and providers, they are bound by stringent security requirements embodied in regulations such as the Health Insurance Portability and Accountability Act (HIPAA). As such, they are both a boon and a burden.
Given the complexity of the data and the regulations surrounding it, providers may be tempted to cut corners on compliance. But as you’d probably guess, that is just bad and dangerous thinking. Not only is data security more important than ever, but putting a security plan in place doesn’t have to be as complicated and expensive as you might think. For example, most companies bound by HIPAA probably already have a firewall. (If you work for a provider that doesn’t have a firewall, stop reading now, close your office door as if there’s nothing out of the ordinary, and call us immediately.)
Beyond the hardware vulnerability, though, is the wetware weakness: people. Most hackers succeed not against silicon but against the unsuspecting employees whose trust they gain. To combat this, a good security plan involves drawing up a detailed body of rules and procedures that everybody in your company internalizes and abides by.
To give you an idea of how much trouble and treasure a good plan can save your company, consider insurance provider Premera who experienced a massive loss of data and is offering its 11 million affected customers two years of identity theft protection and fraud monitoring. They haven’t disclosed the total financial impact, but only because they’re running from hordes of angry stockholders bearing torches.
Don’t wait for that to happen to you. Do what you can now, before hackers weasel their way into your system.
Unsure of where to start and what to do? Your technology services provider can help you design the plan, assign responsibilities and provide regular training for new employees.
If you’d like to learn more about disaster recovery and business continuity planning and how security plans integrate into them, please let us know. Dynamic Quest’s talented team of business professionals, seasoned analysts, former CIOs, and consultants from top firms provides strategic business services and advice to keep your data safe and secure. We can help you test your current security plan or create one from scratch.