I’ve been reading a number of recent studies regarding data breaches in healthcare, such as ‘The 2014 Bitglass Healthcare Breach Report’ by Bitglass and ‘Fourth Annual Benchmark Study on Patient Privacy & Data Security’ by The Ponemon Institute, and there are a number of key facts that jump out at me:
– The number of healthcare data breaches continues to rise
– The cost of a breach continues to rise, both to the breached organization as well as the affected individuals
– The attacks continue to grow in complexity and sophistication
Attacks against healthcare organizations continue to generate headlines, and a number of media pundits have even declared 2015 as ‘the year of the healthcare breach.’ None of this is particularly unique, since it mirrors what’s happening across the entire spectrum of cybercrime. However, with further analysis, healthcare attacks exhibit a number of unique characteristics that distinguish them from traditional financial data breaches.
The first is the attack surface of the data being targeted. With credit card number and bank account information, organizations are continually working to minimize the footprint of the data stored within their infrastructure. As it turns out very few people within any organization have an actual business reason to access the data, so organizations are leveraging technology such as tokenization to reduce the number of copies actually stored. And if an employee with a valid business reason can’t access someone’s credit card data, the impact is usually a few hours delay in servicing the customer. In many ways, requirements for healthcare-related information are almost the polar opposite – many people across and even outside of the holding organization may need rapid access to the data to make quick decisions that can impact the patients health or even their life. Admissions personnel, doctors, EMTs, nurses, lab technicians, therapists and a host of other supporting personnel are making daily decisions based on the information they have available regarding the patient; missing even one critical piece of data can make the difference between life and death. And many of those personnel may be outside of the hosting organization.
Related to the issue of hosted data sprawl is the concept of data source sprawl. With financial data there are typically only a few well-understood points of origin for all data entering the environment – e.g. a website, bank teller, ATMs, etc. With modern healthcare data there may be dozens of different sources, and the number seems to be growing weekly. Wearable health devices, healthcare apps on phones, healthcare web sites, drugstore clinics, web chats with doctors and self-test kiosks are only a few of the new technologies that are springing up all over the world that generate a near-continuous stream of health-related data on consumers. Each of them generates information that any organization required to make healthcare-related decisions for a patient needs access to.
The third significant difference with healthcare-related cybercrime is the back-end cash-out mechanism. With credit card and banking data the thieves would typically quickly sell the stolen data on the Darknet, and the purchaser would then cash-out by transferring money to their accounts or purchasing expensive merchandise which they would resell. This process would typically occur within hours or days of the theft, and can be accomplished entirely online. With healthcare-related data the cash-out process typically takes one of two forms – identity theft or medical fraud. Identity theft is a well-understood process that requires a fairly time consuming and sophisticated effort on the part of the thief, and a major physical supporting organization to accomplish on any large scale. With medical fraud the perpetrators typically require an even more sophisticated back-end supporting infrastructure in order to be able to submit fake prescriptions for drugs they can resell, submit bills for fake tests in the patients name, etc.
The fourth area of difference is the source of the breaches. All of the major credit card breaches that made headlines in the last few years were the result of an external attack – someone from outside the organization gained unauthorized access utilizing complex technical means via the network, then located and exfiltrated the target data. However, with healthcare the majority of the breaches have been due to lost or physically stolen data (frequently stored on mobile devices), not due to external ‘hacking’ attacks. According to ‘The 2014 Bitglass Healthcare Breach Report’ from Bitglass, 68% of healthcare data breaches occurred due to lost or physically stolen data – only 23% were due to extenral network-based attacks.
The final and potentially the most critical difference is the impact to the consumer. With credit card breaches, the banks can quickly cancel the credit cards and issue new ones. At most the consumer may be liable for $50 of the cost and be inconvenienced for a few days. With healthcare-related identity theft and medical fraud breaches the impact to the consumer can be significantly higher – Ponemon’s 2013 healthcare breach report pegged the average cost to the consumer at $18,660 per victim. It can also take a consumer years to get things like fake tests results and prescriptions removed from their medical history, and in the meantime the false information can have a dramatic impact on their life. For example, a person who is a victim of medical data theft applies for a job requiring access to sensitive information or performing some sensitive activity; as part of the standard screening process the company runs a background check and discovers that the person had recently been (falsely) prescribed a large number of expensive drugs designed to control psychotic behaviour. As a result they fail to get the job.
While a close cousin to financial data breaches, healthcare-related data breaches have a number of factors that make them a very unique and ugly beast. With healthcare data the issues of information, identity and access management and monitoring are significantly amplified by the requirements and subsequent design of the dynamic information infrastructure, and require a strong proactive hand at the security helm. Incident recovery also needs to be beefed up to provide better assistance to the victims whose data the breached organization is responsible for. And finally law enforcement needs to become a more integrated part of the response process to target the physical back-end cash-out infrastructure required to leverage these types of breaches.