The Value of Healthcare Data
February 22, 2016
The rising number of healthcare hacks demonstrates that healthcare data has tremendous value in the wrong hands. Some experts call 2015 “the year of the healthcare hack.” This year brought us some of the largest hacks to date, like:
- Premera Blue Cross — 11 million customers
- Anthem — 80 million current and former customers
- CareFirst BlueCross BlueShield — 1.1 million customers
- UCLA Health System — 4.5 million customers
- Excellus BlueCross BlueShield — 10 million customers
Why Do Hackers Want Healthcare Data?
It’s not difficult to understand why credit card numbers would be valuable to hackers, but it’s hard to imagine why hackers would want to know who John Smith’s insurance provider is and what daily medications he takes. That is until you look at the sheer volume of information health records contain and the numbers of creative ways that hackers can monetize it.
Health Records often contain:
- Full Legal Name
- Social Security Number
- Date of Birth
- Insurance Provider
- Email Address
- Medical History
- Medications Taken
- Credit Card Number
In some estimates, medical records are 10 to 20 times more valuable than credit cards because multiple pieces of information are stolen. The information within a record can be sold as an entire package or broken out into different data groups and sold to different people. Here are a few examples of how the information can be used:
- Health Insurance Fraud — One person purchases John Smith’s entire health record so that they can receive medical care in his name. All the bills are sent to his insurance company so John is unaware of the fraud and the insurance company is not aware that he isn’t the filer.
- Drug Abuse/Trade — Another person purchases John’s entire health record to obtain his prescription for pain medicine, a controlled substance that they may abuse themselves or sell to others.
- Identity Theft — The hacker may sell John’s social security number separately from his health record. In additional to obtaining medical care, his social security number can be used to open financial accounts, file for tax refunds, steal social security benefits, and commit crimes.
- Credit Card Fraud — Much like social security numbers, hackers may sell Mr. Smith’s credit card number separately from the rest of his record.
- Email Databases — Criminals purchase email lists to scam users.
There are two other large benefits to hackers in stealing heath records over credit card numbers:
The FBI has warned healthcare providers that their cyber security networks are not sufficiently secure compared to the networks of the financial and retail sectors, making healthcare systems even more vulnerable to attacks by hackers.
It Has a Longer Shelf Life
Credit card companies are constantly monitoring each of their cardholders’ accounts for fraud and cardholders are aware that fraud happens. When they detect fraud, they immediately shut down the card. The information within a health care record can’t easily be changed or blocked against further use. It may takes months or years to secure compromised health data.
Unfortunately, these issues won’t go away anytime soon. Experian stated in their 2016 Data Breach Industry Forecast “We predict that healthcare companies will remain one of the most targeted sectors by attackers, driven by the high value compromised data can command on the black market, along with the continued digitization and sharing of medical records.”
Having your HIPAA Compliance Plan in place and up to date is a good start, but it’s not enough. Here are the three most important things you can do to secure your data:
The best way to prepare for a hack is to create one. Penetration Testing replicates techniques used by hackers to determine how a system will react to an attack, identify weaknesses, and determine what information can be acquired. Learn more.
Train Your Employees Regularly
HIPAA requires organizations to train their employees on their policies and procedures annually. Quarterly, monthly and even weekly reminder training is a great way to avoid employee complacency; an issue that Experian suggests may be the leading cause of breaches in 2016.
Implement a Password Protocol
Your HIPAA policies and procedures must contain Within your HIPAA a well-documented password protocol, including guidelines for scheduled password changes.
By implementing HIPAA Privacy and Security guidelines, you’re less likely to be “hacker bait.” Need help with your HIPAA Compliance Plan? Contact us today.