Lade Inhalt...

A Brief Report on Data Breaches in U.S. Healthcare. What, Why, and How?

Forschungsarbeit 2015 20 Seiten

Gesundheit - Public Health

Leseprobe

Table of Contents

Introduction

Arguments
Data breaches in healthcare: Can customers’ data be better protected by their healthcare institution?
Breaches by type: How the data is lost?
Cloud storage of medical data: Safe or sloppy?

Conclusion

References

Abstract:

Data breaches in U.S. healthcare have become ubiquitous with modern hackers honing in on healthcare data due to its lucrative economic value. Cyber crooks regard medical identity theft as ‘The triple crown of stolen data’ as it’s worth more than a Social Security Number or credit card number in the internet black market. The black market rate for each partial EHR is $50 as compared to $1 for a stolen Social Security Number or credit card number. With 44% of data breaches that healthcare organizations contribute to, this report analyzes for the evolving security measures and trends in the healthcare industry to protect data from cyber crooks. An infographic study was carried out to explore the ways by which data is lost, states accounting the most and least number of medical data breaches, and the location of breached information. Outcome of this infographics study is expected to pave the way for possibility of future research and scholarly debate. Potential of cloud computing in healthcare has been taken into account and was analyzed for its benefits of adoption and use, obstacles, and its forecast in the near future. At the outset, this report is a snapshot of U.S. healthcare’s defensive preparation and strategy against the level of cyber-attacks that will be coming at them, statistical analysis on types of breach impacting healthcare organizations the most, state-wise percentage analysis of medical data breach, and cloud computing as a defensive solution to protect the data from cyber-attacks, and insider threat - disgruntled employees and patient-record snoopers.

Keywords: Medical ID theft, economic value, cyber threats, breach types, defensive strategies, cloud computing .

Introduction:

Information security (InfoSec) is critical to every organization today – especially healthcare, with the reports of breaches against healthcare organizations, large and small, continuing to rise. [1] That said, International Data Corporation (IDC) predicts 1 out of 3 individuals will have their healthcare records compromised by cyber-attacks in 2016. [2] Modern hackers of the online world regard medical information as a ‘treasure trove’ given its lucrative economic value. [3] Large amounts of credential information including, name, birth date, policy number, diagnostic code(s), billing information, and Social Security Numbers contained in the Electronic Health Record make it worth the trouble for the hackers. [4]

The potential of granular data is certainly propelling hackers of all stripes to perforate the defenses of hospitals and other health organizations holding such data. The healthcare industry in particular is an enticing target to data breach as the market for stolen medical records continue to grow. [5] These records are auctioned and sold in remote corners of the internet black market. Medical and personnel records are increasingly valuable to cybercriminals than credit card data. [6] According to FBI, the black market rate for each partial EHR is $50 as compared to $1 for a stolen Social Security Number or credit card number. [7] Some of the notable data breaches in healthcare between 2009 and 2015 is shown in Figure 1.

illustration not visible in this excerpt

Figure 1: Notable data breaches in healthcare between 2009 and 2015 Source: InfoSec institute- http://resources.infosecinstitute.com/hackers-selling-healthcare-data-in-the-black-market/

Three underlying reasons for cyber attackers to hack health data include: lack of infrastructural security within the healthcare organization, shelf life of medical data, and the Social Security Number, which is particularly valuable in an identity theft. [8] It is intriguing that medical identity theft can impact not just victim’s financial stability but can potentially put a patient’s life under risk as victims of medical identity theft may receive the wrong type of care due to tampered medical files. [9] That said, it is important for healthcare organizations to implement best security practices to keep the sanctity of patients’ records secure and intact.

While it’s relatively easy to spot a credit card breach, the process of divining the provenance of stolen healthcare record, however, is not as straight forward. [10] The credit card industry has been combatting this threat long enough to have a streamlined process in place for dealing with stolen information, but this is a new territory for healthcare. [11] An experiment conducted by Bitglass in April 2015 transmitted a few synthesized fake names, Social Security Numbers, and health record information through the company’s proxy, which automatically watermarked the file. [12] Complexity to track a medical data breach is well simulated in Figure 2.

illustration not visible in this excerpt

Cybersecurity in healthcare is indeed alarming. It’s little wonder why cybersecurity is the leading concern among health-IT decision makers. To get these security holes patched, healthcare facilities must identify potential risks, take appropriate actions, and improve diligence on revamping systems to prevent data theft.

This paper focuses on the need for better security controls taking into account numerous breaches and threat landscapes the healthcare sector in the United States is currently facing. At the outset, this paper provides insights into preparedness of healthcare organizations against potential breach threats, state-wise percentage analysis of healthcare data breach, and cloud technology as a solution for protection of data.

Arguments:

Data breaches in healthcare: Can customers’ data be better protected by their healthcare institution?

Healthcare data remains to be a cyber crook’s ideal target given its lucrative economic value, vulnerability of healthcare’s cybersecurity system, and the ease of stealing medical information due to lack of infrastructural security within the industry. [13] Although the digital and technological revolution is shaping the future of connected care, the transition of U.S. healthcare to move their medical records to digital space has made the protected health information more available to skilled hackers. [14] The increasing cyber threats have been attributed to the ease of stealing medical information making it worth the trouble for hackers. [15] With hackers honing in on healthcare data, cyber threats on healthcare organizations have sharply increased by 100% between 2009 and 2013, and 72% between 2013 and 2014. [16] The aggressive and targeted cyber-attacks affecting the healthcare industry has now made cybersecurity a top business priority for healthcare organizations.

The puzzle to implement successful security practices from banking into healthcare has not been addressed, despite the track record of software and tools like total fraud protection, Kerberos, two factor authentication, detect-ID, and pretty good privacy (PGP). [17] , [18] ,[19] Banks have stepped up their online security by incorporating advanced encryption technologies for secure transactions while health insurers and hospitals have not taken security seriously. [20] Funds are typically allocated by healthcare organizations for new machines and noteworthy physicians who drive more patients and have a direct impact on profits, while neglecting security. [21] Healthcare organization’s IT budget percentage dedicated to information security is shown in the Figure 3.

illustration not visible in this excerpt

Many healthcare organizations neither perform encryption of records within the internal networks nor use encryption of data at rest and transit. 22 HIPAA addresses a number of patient privacy issues but doesn’t require encryption of people’s data. [22]

Security tools used by hospitals to defend data theft have changed since 2008 and is a positive change (Figure 4). Use of encryption, in transit and at rest, is also in the uptick. Survey respondents seem to agree that the traditional defensive weapon in use will likely not be helpful to defend them from the cyber-attacks of tomorrow. [23] More sophisticated and heuristics tools are thus required to aid in successful cyber defense in the future.

illustration not visible in this excerpt

Cyber security experts recommend that encryption of data would not be a 100% solution and will also require features like application and network security, multi-factor authentication, and data breach response plans that have often been overlooked for long. [24] Getting electronic medical devices patched and encrypting portable devices are other recommendations. A layered or ‘defense in depth approach’ is the need of the hour as it would give the defenders sufficient time to identify the breach, delay the attackers and ultimately prevent the attack in order to keep the most upscale assets safe. [25] Figure 5 shows some of the common errors that health organizations commit in conducting a risk assessment. Data protection strategy against medical data breach still remains ‘a solution in search of a problem’ and no magic bullet has yet been proposed.

[...]


[1] Hourihan, C., Cline, B. (2012, December). A look back: U.S. healthcare data breach trends. Retrieved from https://hitrustalliance.net/content/uploads/2014/05/HITRUST-Report-U.S.-Healthcare-Data-Breach-Trends.pdf

[2] Ratchinsky, K. (2015, November 5). IDC releases top 10 predictions for healthcare and IT is in the driver’s seat. Retrieved from http://www.healthcareitnews.com/blog/idc-releases-top-10-predictions-healthcare-it-drivers-seat

[3] Smith, M. (2014, October 3). Medical ID theft: How scammers use records to steal your identity. Retrieved from http://www.makeuseof.com/tag/medical-id-theft-scammers-use-records-steal-identity/

[4] Smith, M. (2014, October 3). Medical ID theft: How scammers use records to steal your identity. Retrieved from http://www.makeuseof.com/tag/medical-id-theft-scammers-use-records-steal-identity/

[5] Kuchler, H. (2015, June 17). Patient records are target for cyber crooks. Retrieved from http://www.ft.com/cms/s/0/20046010-e1cb-11e4-bb7f-00144feab7de.html#axzz3u1yOYeWL

[6] Lowes, R. Stolen EHR charts sell for $50 each on black market. Retrieved from http://www.medscape.com/viewarticle/824192

[7] Lowes, R. Stolen EHR charts sell for $50 each on black market. Retrieved from http://www.medscape.com/viewarticle/824192

[8] Kossman, S. (2015, April 15). Healthcare data breaches: Why you should be concerned. Retrieved from http://blogs.creditcards.com/2015/04/health-care-data-breaches-why-you-should-be-concerned.php

[9] Weisman, S. (2015, July 25). Another healthcare data breach. Retrieved from http://www.usatoday.com/story/money/personalfinance/2015/07/24/steve-weisman-health-care-data-breach/30593661/

[10] Garrubba, T. (2014, November 10). 5 ways health data breaches are far worse than financial ones. Retrieved from http://www.govhealthit.com/news/5-ways-health-data-breaches-are-far-worse-financial-ones

[11] Garrubba, T. (2014, November 10). 5 ways health data breaches are far worse than financial ones. Retrieved from http://www.govhealthit.com/news/5-ways-health-data-breaches-are-far-worse-financial-ones

[12] Krebs, B. (2015, April 15). A day in the life of a stolen healthcare record. Retrieved from http://krebsonsecurity.com/2015/04/a-day-in-the-life-of-a-stolen-healthcare-record/

[13] Kuchler, H. (2015, June 17). Patient records are target for cyber crooks. Retrieved from http://www.ft.com/cms/s/0/20046010-e1cb-11e4-bb7f-00144feab7de.html#axzz3u1yOYeWL

[14] Ponemon Institute. (2011, March). Second annual survey on medical identity theft. Retrieved from http://www.experian.com/assets/data-breach/white-papers/second-annual-survey-medical-idenity-theft.pdf

[15] Kossman, S. (2015, April 15). Healthcare data breaches: Why you should be concerned. Retrieved from http://blogs.creditcards.com/2015/04/health-care-data-breaches-why-you-should-be-concerned.php

[16] Ashiq, J.A. (2015, July 27). Hackers selling healthcare data in the black market. Retrieved from http://resources.infosecinstitute.com/hackers-selling-healthcare-data-in-the-black-market/

[17] Mathew, J. (2014, November). Hackers target medical records as electronic data becomes less lucrative. International Business Times. Retrieved from http://www.ibtimes.co.uk/hackers-target-medical-records-electronic-data-becomes-less-lucrative-1476043

[18] Yang, Y. J. (1997). The security of electronic banking. National information.

[19] Claessens, J., Dem, V., De Cock, D., Preneel, B., & Vandewalle, J. (2002). On the security of today’s online electronic banking systems. Computers & Security, 21(3), 253-265.

[20] Ashiq, J.A. (2015, July 27). Hackers selling healthcare data in the black market. Retrieved from http://resources.infosecinstitute.com/hackers-selling-healthcare-data-in-the-black-market/

[21] Mundis, A. (2015, October). Why healthcare data is becoming so valuable. Retrieved from http://www.resource1electronics.com/assets/increasing-value-of-health-information.pdf

[22] Ashiq, J.A. (2015, July 27). Hackers selling healthcare data in the black market. Retrieved from http://resources.infosecinstitute.com/hackers-selling-healthcare-data-in-the-black-market/

[23] Miliard, M. (2015, November 12). Cybersecurity strategies evolving in face of big risk. Retrieved from http://www.healthcareitnews.com/news/cybersecurity-strategies-evolving-face-big-risk

[24] Ashiq, J.A. (2015, July 27). Hackers selling healthcare data in the black market. Retrieved from http://resources.infosecinstitute.com/hackers-selling-healthcare-data-in-the-black-market/

[25] Bowen, C. (2015, July 8). The seedy underworld of medical data trafficking. Retrieved from http://www.healthcareitnews.com/blog/seedy-underworld-medical-data-trafficking

Details

Seiten
20
Jahr
2015
ISBN (eBook)
9783668151130
ISBN (Buch)
9783668151147
Dateigröße
1.2 MB
Sprache
Englisch
Katalognummer
v315187
Institution / Hochschule
Northeastern University of Boston
Note
1
Schlagworte
data theft data breach healthcare USA fraud internet criminality data loss cloud computing

Autor

Teilen

Zurück

Titel: A Brief Report on Data Breaches in U.S. Healthcare. What, Why, and How?