The healthcare industry runs on digital records. And in order for it to operate efficiently, patient files must be accessible on an ever-expanding number of devices — from intake computers to hand-held tablets used in exam rooms. But this ease of access is posing new problems for maintaining privacy standards in the age of rampant fraud and hacks.
Diagnosing the Problem
On the dark web, medical information is worth 10 to 20 times more than credit card numbers. Why? Hackers can make a string of purchases on a stolen credit card, but medical records include names, addresses, medical histories and — most valuable of all — Social Security Numbers.
This highly personal information gives thieves everything they need to orchestrate full-scale identity fraud schemes that can last for years. Even more alarming, the incredibly valuable data stored by the healthcare industry is protected by some of the weakest security. According to a recent study, medicine ranks ninth out of all industries in terms of its security safeguards.
The High Cost of Healthcare Fraud
One in every four Americans have been affected by a healthcare data breach, and 50% eventually suffered medical identity fraud averaging $2,500 in out-of-pocket expenses. Instead of being notified of the breaches by the companies involved, half of these medical fraud victims discovered the crime while examining medical insurance claims or credit card statements.
As hospitals, pharmacies and insurance companies shift to electronic records, healthcare data breaches have grown in both size and frequency. In fact, seven of the top 10 breaches have occurred in the last three years, including 2015’s epic Anthem Blue Cross hack, affecting 78.8 million people.
In 2017, fraudsters hacked everything from hospitals to imaging centers by targeting unused websites, unencrypted storage drives, weaponized ransomware, misconfigured cloud storage and phishing emails.
One of the largest breaches of 2017 occurred when 1.1 million people on Indiana’s Medicaid and CHIP programs had their names, Medicaid IDs and more compromised through a live hyperlink to an online report.
The Expanding Security Gap
Despite being a lucrative target, many healthcare sectors rely on aging computers and outdated software. Using stolen birthdates, policy numbers, diagnostic codes, billing information and Social Security Numbers, fraudsters can create fake IDs to buy medications and medical devices, commit insurance fraud and even receive surgeries. Since many of these frauds are not immediately detected, thieves can abuse the system for years.
Last year, the world learned just how vulnerable healthcare data is when 150 countries suffered from the WannaCry virus targeting Internet of Things (IoT) devices. Great Britain’s National Health Service was shut down by the malicious ransomware, cancelling hundreds of procedures and inconveniencing thousands of patients. And just this year, a different ransomware attack on Hancock Health shut down their network and forced staff to record patient visits with pen and paper.
While an official estimate of the cost of healthcare hacks is hard to pin down, the price tag measures in the billions, and this expense is often passed along to consumers in the form of rising healthcare premiums.
The Future of Medical Security
In response to rampant and frightening attacks like WannaCry, the EU has implemented the General Data Protection Regulation, which creates greater accountability when companies suffer a data breach due to inadequate preparation and data safeguards. Though the U.S. does not have a similar law, it does have HIPAA laws protecting patient privacy and laws that stipulate how Personal Identification Numbers are stored, safeguarded and protected.
Making healthcare data more easily accessible has the potential to transform and improve healthcare for the better, but the increasingly connected IoT means more vulnerabilities are created with more access points.
Since more electronic data is available than ever before, health information exchange security is becoming an increasingly important concern when it comes to sharing information across systems with varying levels of privacy.
Stronger safeguards for medical records could include everything from biometrics and two-step authentication to quantum computing, difficult-to-crack algorithms like AES256 and even blockchain technology, which allows digital information to be distributed, but not copied.
With blockchain, there is no centralized location where data is stored, so there is nothing for a hacker to access. This kind of system could be especially beneficial to healthcare, because patient data security needs to be guaranteed.
Whatever the future may bring, innovations in healthcare security would need to adhere to HIPAA laws and NIST cryptographic standards, which stipulates that sensitive data be encrypted until a recipient with a private key can unlock the information.
Payment Data Protection Anytime, Anywhere
As America’s healthcare industry evolves and expands, there is a growing effort to make major healthcare data breaches a thing of the past. Until then, Bluefin is here to protect customer payment data the moment a card enters a payment system with our PCI-validated P2PE solution. To learn more, contact Bluefin today.