Medical records are the “in” trend for identity thieves
Forget credit cards, Twitter accounts, personal webpages, or even banks.
The new “hot” vulnerability for identity thieves is a gold mine of information, more than enough to quickly capture an identity and wreak instant havoc.
The target is your personal medical records and they’re being stolen at a truly alarming rate.
According to a report issued earlier this year by the data protection company Bitglass, over 113 million Americans were affected by a healthcare breach in 2015, which translates into one out of three people.
This represents a 10-fold increase over the previous year and nearly all of it was through database theft rather than a stolen device such as a smartphone or tablet.
So far, 2016 is not looking any better. The U.S. government has disclosed that the healthcare industry averaged at least four data breaches per week through the first quarter.
A quick Google News search shows millions more records being stolen just in the past 30 days from medical providers in Colorado, Georgia, Florida, and Missouri.
What’s going on?
Did the entire medical industry place patient medical records into poorly protected databases that have been rapidly exploited by criminal hackers on a global scale?
What security researchers are seeing is classic example of plugging one leak and then creating another.
As credit card theft lost value and banks began to tighten security using two-factor authentication, chip-embedded cards and other protective measures, criminals were forced to look for more vulnerable online sources of personal information.
According to Rich Campagna, vice president of products at Bitglass, the targets for hacking personal information are shifting.
“Criminals will go after the highest return on investment (ROI) target,” said Campagna. “The ROI on attacking a bank has gone down.”
Banks can now spot potentially fraudulent use before a cardholder even suspects there is a problem, using sophisticated computer models that can quickly identify a pattern of unusual charges for a particular account.
This allows for instant suspension or cancellation of a card before much damage can be done.
Why medical records?
Medical records offer a collection of personal information all in one place that is not monitored so closely and can be much more lucrative to a hacker.
In addition to Social Security numbers, healthcare information usually includes home addresses, insurance data, names of related family members, and birth dates.
In other words, it’s the “mother lode” of everything needed to steal an identity. And even better still, criminals can monetize this information immediately.
“Unlike a credit card, you can’t just cancel your Social Security number and personally identifying information,” said Campagna.
“That record contains absolutely everything that’s required for someone to open an account in my name.”
Until last year, most medical record breaches were the result of lost or stolen devices such as tablet computers or computer equipment where sensitive personal information had been stored.
Nearly three quarters of breaches were attributed to this problem.
Bitglass researchers found that by the start of 2015, these causes had dropped below three percent and had been virtually eliminated.
The major reason is that organizations began to enable encryption controls for every device.
So if it was stolen, a criminal would have a much more difficult time obtaining any valuable information.
Where are identity thieves stealing this info?
Now, attackers are going after healthcare databases themselves, thus revealing huge gaps in security controls for how access to key patient records are being administered.
It’s why so many of the breaches making news in 2016 involve massive numbers of consumer files and a wide array of personally identifying information.
The reasons why healthcare organizations have been so vulnerable are complex and they are grounded in the very nature of the medical profession itself.
Unlike banks, where access to customer records is carefully controlled on a “need to know” basis, hospitals and medical institutions operate more openly, where rapid access to patient information can sometimes mean the difference between life and death.
In addition, the mobile nature of the medical profession means that patient records must be available on a variety of device platforms, including laptops, smartphones, tablet computers, and desktop systems.
Each device poses a security risk and represents a point of vulnerability that can easily be exploited by an enterprising hacker.
Multiply that across thousands of hospitals and tens of thousands of doctors and medical personnel and you have the making of a first-class security nightmare.
Doctors should stick to medicine and leave security to computer professionals
There is a belief that the power structure within many healthcare organizations also contributed to the vulnerabilities being experienced today.
Campagna points out that in most medical groups, doctors and clinicians rule.
This creates a potential situation where a chief information security officer (CISO) may not have as much influence as other similar executives might in different industries.
The weaknesses exposed by high profile breaches in recent months have served as a “wakeup call” for healthcare organizations across the United States.
“There has been an awakening inside these organizations that they are now a target,” said Campagna.
“But there is still quite a ways to go before they will be at the top of their game in terms of security.”
Bitglass has a number of customers in the healthcare industry.
Campagna and his team have been working closely with medical organizations to implement a set of practices that will better protect patient records.
“We have been emphasizing the need for security hygiene,” said Campagna.
Because many of the recent breaches have been caused by fairly simple phishing attacks, where a fake email entices a worker to click on a malicious link, medical groups are now educating their personnel to be more alert to these kinds of criminal tools.
Extra measures of security are needed
Campagna believes that two-factor authentication (requiring a second piece of information before login is successful), long used by banks and other financial institutions, would be a huge improvement.
According to Campagna, many healthcare groups have increased their use of common applications such as Office 365 and Google Apps which already have this security tool built-in.
Another problem faced by the medical profession is that many groups have not done a full evaluation of where all of their data resides.
Because hospitals often have multiple departments of medical specialty and each maintains separate records on the patients they treat, record storage can become complicated very fast.
Add in the migration of more healthcare organizations to the cloud, and you have increased security concerns that demand closer accounting of patient information.
A login from an Android device in North Korea, for example, might be a ripe situation to be flagged versus internal access by an onsite employee.
“The advice we offer is to look at where this sensitive data resides and where it is going,” said Campagna.
There is also an unusual situation developing as a result of the rapid rise in medical record theft.
HIPAA (the Health Insurance Portability and Accountability Act) was designed to protect the confidentiality of patient medical records.
However, when a record is stolen and the criminal makes changes to that record as part of the identity theft, the victims are running into problems reviewing their own files because strict interpretation of the Act means that only the criminal can now legally view the record.
HIPAA does not address how to correct fraudulent medical records that were illegally obtained, which has created a tough situation for victims of identity theft.
A growing number of state and federal legislators are pressuring the U.S. Department of Health and Human Services to clarify the rights of medical record theft victims under the law, but there has been no official action yet and every breach seems to create a new set of problems that HIPAA was never designed to address.
Prevention of medical identity theft
Meanwhile, as each month brings reports of new medical records breaches, there are steps consumers can take to avoid becoming a victim of medical identity theft or at least minimize the risk.
- Regularly asking your health insurance provider to provide a record of the benefits paid under your account. Often the first sign that your medical record has been breached will occur when you receive a bill for medical services that is not yours.
- Be extra careful about disclosing any personal information via phone or email. Identity thieves who are armed with information contained in your medical record will often pose as a pharmacy or insurance representative and attempt to contact victims to gain even more useful data.
- Security experts also recommend that consumers keep their own medical billings records in a secure location (such as a safe) and shred any important documents before disposing of them in the trash. This includes even old prescription labels which can display a surprising amount of personal information.
As we move into the last quarter of 2016, there are signs that criminals are branching out into different avenues to monetize the theft of medical records.
Earlier this year, a sophisticated attack on the Hollywood Presbyterian Medical Center in California resulted in a complete takeover of the organization’s computer systems.
But rather than steal records, the attackers demanded a ransomware payment of $17,000 in bitcoin (which can’t be easily traced).
The hospital paid and got their systems back, but the event sent a chilling signal to the medical profession that the attackers are getting bold and more confident.
Until the healthcare industry can better protect their systems, the attacks will continue and the price will undoubtedly go up.