The Impact of Organizational Negligence to our Health Data
By Britt Garrett
Is healthcare doing everything it can to prevent information from being released or breached?
The industry is the worst when it comes to stopping insider data breaches, according to Verizon’s 2018 Data Breach Investigations Report (DBIR). It leads all industries, including the financial industry, in cybersecurity attacks. In 2018, with over 750 incidents reported, a quarter of them being breaches ranging from data theft to ransomware and wire transfers.
An important fact to consider about Personal Healthcare Information (PHI) is that is it more valuable on the black market than the typical Personal Identifiable Information (PII) or financial information, such as credit card credentials. CBS News and other agencies have reported PHI can sell for roughly $1,000, while credit card information sells for only $110, and Social Security Numbers can be purchased for as little as $1.
Why this value disparity? One’s personal health history, including ailments, illnesses, diseases, and surgeries, can’t be changed, but credit card information or Social Security Numbers can. Plus, it is easy today to pay for services that will monitor, alert, and even stop unauthorized or suspicious financial activities.
“PHI theft has a longer shelf life than stolen credit card data, where the payout is immediate and ends as soon as the card or account is canceled,” says Kim Green, CHC, CISA, chief security and privacy officer at Zephyr Health.
The use of PHI is only limited by the creativity of the person who holds that information. PHI can be profitable to criminals in a number of ways:
- Extortion (aka blackmail) – Demanding money from individuals or health care organizations to prevent exposing private medical information.
- Fraud – Abusing the PHI to obtain health care services, medical equipment, and pharmaceuticals, then selling those items or filing false claims.
- Identity Theft – Masquerading as someone else for financial gain.
- Data Laundering – Converting stolen data so that it can be sold or used by ostensibly legitimate databases.
You would think healthcare data security would be top priority, but many organizations still take shortcuts exposing healthcare data for which they are accountable for at high risk of compromise. Is Private Health Information being protected and treated as a priority? From HealthITSecurity.com, “Only 29% of healthcare organizations report having a comprehensive cybersecurity program in place, according to 2018 CHIME HealthCare’s Most Wired survey.”
The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule, and some of the content contained in this guidance is based on recommendations of the National Institute of Standards and Technology (NIST). The HIPAA Security Rule requires organizations to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of Electronic Protected Health Information (e-PHI).
The HIPAA Security Rule also states under section 45 CFR 164.308, which is an Administrative Safeguard, that an organization needs to “Identify a HIPAA Security Officer who is responsible for the development and implementation of policies and procedures to ensure the integrity of e-PHI.”
This role is usually either fulfilled by the Compliance Officer due to their understanding of administration functions such as creating and maintaining policies and procedures, or the Information Technology (IT) Manager due to the perception that the integrity of e-PHI is an IT issue. Either way, it tends to be treated as a secondary function, or completely overlooked. This often results in under- or unqualified individuals responsible to perform the role.
Why are Cybersecurity Breaches Common in Healthcare?
A range of reports estimate that only 25-35% of reported healthcare companies have proper and sufficient resources in place to prevent and/or respond in a timely manner to breaches.
Accordingly, the healthcare industry is not making it a priority to hire the right people, invest in technology, and administer documentation to protect private information. Cybercriminals are kids in a candy store gathering everything they can with little or no resistance.
With so many companies today providing outsourced services like policy development, staff augmentation, and managed security services, the poor results are failures or deficiencies of the questioned companies. These outsourced services can be more efficient and cost saving, as well as providing a robust bench of expertise, rather than relying on overtaxed and inexperienced in-house staff. A good first step is reaching out to an experienced cybersecurity professional to discuss your needs and assess your current cybersecurity posture.