As Halloween approaches, the usual spate of horror movies will intrigue audiences across the US, replete with slashers named Jason or Freddie running amuck in the corridors of all too easily accessible hospitals. Unfortunately, this horror movie scenario is similar to how data thefts often occur at medical facilities.
(I know how terrible this type of crime can be. I myself have been the victim of a data theft by hackers who stole my deceased father’s medical files, running up more than $300,000 in false charges. I am still disputing on-going bills that have been accruing for the last 15 years).
In 2015, healthcare was one of the top three industries hit hardest by data vandals. Patients’ records, packed with a wealth of exploitable information such as credit card data, email addresses, Social Security numbers, employment information and medical history records fetch a high price on the black market.
Who Are The Hackers?
Approximately 45% of the attacks are from outside intruders looking to steal valuable patient data. However, “phantom” hackers are also often your colleagues, employees and business associates, careless in the use of passwords or lured by phishing schemes that open the door for data thieves.
The problem is not only high-tech, but also low-tech, requiring that providers across the continuum simply become smarter about data protection and privacy issues. Medical facilities are finding they must teach doctors and nurses not to click on suspicious links.
Medical data theft is a growing national nightmare. IDC’s Health Insights group predicts that 1 in 3 healthcare recipients will be the victim of a medical data breach in 2016. Other surveys found that in the last two years, 89% of healthcare organizations reported at least one data breach, with 79% reporting two or more breaches. The average cost of a healthcare data breach is about $2.2 million.
At health insurer Anthem, Inc., hackers stole up to 80 million records using social engineering to dig into the company’s network using the credentials of five tech workers. The hackers stole names, Social Security numbers and other sensitive information, but were thwarted when an Anthem computer system administrator discovered outsiders were using his own security credentials to log into the company system and to hack databases.
Healthcare Hacks Spread Hospital Mayhem in Diabolical Ways
Banner Health, operating 29 hospitals in Arizona, had to notify millions of individuals that their data was exposed. The breach began when hackers gained access to payment card processing systems at some of its food and beverage outlets. That apparently also opened the door to the attackers accessing a variety of healthcare-related information.
What makes this breach more concerning is the question of how did hackers access healthcare systems after breaching payment systems at food/beverage facilities, when these networks should be completely separated from one another? Healthcare system networks are very complex and become more complicated as other business functions are added to the infrastructure – even those that don’t necessarily have anything to do with systems handling and protected health information.
Who hasn’t heard of “ransomeware”? The first reported attack was Hollywood Presbyterian Medical Center which had its EHR and clinical information systems shut down for more than week. The systems were restored after the hospital paid $17,000 in Bitcoins.
Taking Healthcare Security Seriously
Healthcare is an easy target. Its security systems tend to be less mature than those of other industries, such as finance and tech. Where a financial-services firm might spend a third of its budget on information technology, hospitals spend only about 2% to 3%.
Meanwhile, the number of healthcare attacks over the last five years has increased 125%. Personal health information is 50 times more valuable on the black market than financial information. Stolen patient health records can sell for as much as $363 per record.
Many healthcare executives believe that the healthcare industry is at greater risk of breaches than other industries. Despite these concerns, many organizations have either decreased their cyber security budgets or kept them the same. While the healthcare industry has traditionally spent a small fraction of its budget on cyber defense, it has also not shored up its technical systems against hackers.
Disrupting the Healthcare Security Industry with Behavior Analysis
Common defenses in trying to keep patient data safe have included firewalls and keeping the organization’s operating systems, software and anti-virus packages up-to-date. This task of constantly updating and patching security gaps or holes is ongoing. However, with only about 10% of healthcare organizations not having experienced a data breach, sophisticated hackers are clearly penetrating through these perimeter defenses and winning the healthcare data security war. It is time for a healthcare data security disruption.
Many organizations employ network surveillance tactics to prevent the misuse of login credentials. These involve the use of behavior analysis, a technique that the financial industry uses to detect credit card fraud. This technology relies on cloud technology to combine artificial intelligence with machine learning algorithms to create and deploy “digital fingerprints” using ambient network surveillance to cast a net over EHRs and other hospital data sanctuaries. It exposes user behavior deviations that humans would miss and not only stops outside hackers and malicious insiders, but also flags problem employees who continually violate cyber security policy.
The concept is simple. A pattern of user behavior is established and any actions that deviate from that behavior, such as logging in from a new location or accessing a part of the system the user normally doesn’t access are flagged. Depending on the deviation, the user may be required to provide further authentication to continue or may be forbidden from proceeding until a system administrator can investigate.
The healthcare data security war can be won. The industry would do well to implement network surveillance that includes behavior analysis. It is the single best technological defense against the misuse of medical facility systems and the most powerful weapon the healthcare industry has in its war against cyber criminals.
Santosh Varughese is president of Cognetyx, an organization devoted to using artificial intelligence and machine learning innovation to bring an end to the theft of patient medical data.