Why Healthcare Hacking is Profitable and How You Can Prevent itPublished February 18, 2016 by Brad Thies • 3 min read
This post was originally published on Medical Practice Insider.
Not long ago, hackers focused on stealing financial data. The digitization of financial transactions brought heavy regulation and security to protect those transactions, but thieves still found ways to steal things like credit card numbers to sell on the dark web. Now, online criminals have turned their attention to more valuable digital data: your electronic healthcare records.
Why? Because, while there will always be a market for stolen financial information, the information sells cheaply. If you find out a hacker stole your credit card number, you call your bank and cancel the card. If someone steals it and tries to make large or strange purchases across the country, your bank shuts the card down and calls you about suspicious activity. Credit card theft won’t disappear, but it simply isn’t as profitable as it used to be.
Now, hackers want healthcare records. Compared to $1 for a credit card number, anonymous online buyers will pay $50 per partial electronic healthcare record. This information is valuable. Criminals can use your healthcare records to make fraudulent insurance claims for fake procedures at fake hospitals.
Demand is high, and supply is ready to match. Since 2009, hackers have stolen the records of more than 120 million people in more than 1,100 separate breaches. The largest hack to date, the infamous Anthem data breach, has been well documented. Recently, Premera Blue Cross suffered a breach of medical and financial records affecting 11 million people. Recent studies show the rate at which hackers target large healthcare entities continues to increase.
With danger seemingly around every corner, how can you prevent your business from falling prey to a healthcare hack?
1. Perform a risk assessment. To make improvements, you must first know where your business stands. Analyze the following categories:
• Blocking and tackling: Look at the basics. Are you understaffed? What are your reporting metrics, controls, policies, and processes? Do you have executive support for security budgeting?
• Compliance: Look at compliance frameworks to drive security decisions (e.g., HIPAA)
• Risk-based analysis: You need multilayered security and a risk-based approach that can correlate events like security incidents across multiple business environments, then rank and respond to them using dynamic information security and IT audit controls
2. Review your vendors and customer agreements at least annually. To take care of your data, understand the covered entity and business associate relationships. The recent Omnibus rule redefines the standards of information care for vendors in the healthcare industry, such as cloud-based companies that allow medical records to pass through their servers. Ensure your counsel properly vets and reviews all business associate agreements for compliance requirements, and perform a self-assessment against the requirements within your organization.
3. Assign responsibility within your organization for compliance management. If you suffer a breach, the regulatory fines can hurt even more than the lost records — up to $50,000 per record lost. Ensure someone within your organization fills an InfoSec role, and make a separate security official responsible for the development and implementation of HIPAA policies and procedures. Review HIPAA section 164.308(a)(2).
4. Hold security awareness training. The ones responsible for security within your organization must thoroughly understand applicable compliance structures, such as HIPAA. This includes security for your own company and communications as well as business associates and covered entity relationships. Contact an organization that specializes in security awareness training to help establish a culture of security in your organization.
5. Establish a security framework. Pull everything together to create a sustainable, effective network of security checks and procedures. This framework should include:
• Security governance
• Security policy
• Security engineering and operations
• Security monitoring and reporting
• Security optimization
The process at each step will vary depending on the size, structure, and maturity of your organization. However, at minimum, your business should employ end-to-end encryption and robust network monitoring software to deter and detect a breach.
Creating a solid IT security infrastructure gives you an established framework to ensure security throughout the lifecycle of your most sensitive data. Establish a great framework through threat intelligence by preparing, protecting, integrating, detecting, and responding to potential and present threats as they arise. Be vigilant in your preparation so you’ll be ready when the time comes.