Practice Economics

Cyber thieves exploiting health care security gaps


 

EXPERT ANALYSIS FROM HIMSS15

CHICAGO – Health care data theft represents a far greater threat than theft of credit card, financial, and banking information.

The reasons are simple: stolen health care records have a longer shelf life and offer a higher payout on the black market, James Trainor, deputy assistant director of the Federal Bureau of Investigation’s Cyber Division, said at the annual meeting of the Healthcare Information Management Systems Society.

James Trainor Patrice Wendling/Frontline Medical News

James Trainor

When credit cards are stolen it’s pretty easy to identify the information on cyber crime forums and compensate for loss, so the value of that stolen credit card or bank record has a certain shelf life. For health care records, it’s harder to identify where those stolen records may end up and as such it creates a greater challenge for law enforcement.

The opportunity to exploit and monetize stolen health care data for various forms of fraud such as identity, Medicaid, tax, medical device, and pharmaceutical fraud increases the value at which they can be sold online.

“Actually, it’s one of the primary reasons why criminal organizations go after health care records,” Mr. Trainor said.

Not surprisingly, the FBI rates health care data theft as a Tier 1 priority, capable of causing “catastrophic or severe harm.”

And the problem is growing. Two years ago, a significant cyber intrusion occurred every 2 weeks; now it happens every 2-3 days.

“The pace is growing rapidly, the volume of data that’s being [stolen] is substantially increasing, and it just requires a much more robust response across the U.S. government and private sector,” said Mr. Trainor, who helped investigate the December 2014 Sony cyber attack.

Some of the unique challenges to the health care sector are the use of legacy computer systems, “bring your own device” policies, and increased volume of data following the transition to electronic health records, and stolen protected health information isn’t readily discovered, he said. The range, size, and capability of IT infrastructure varies dramatically as do the funding and resources needed to keep up with the rapidly changing IT field.

Other challenges include video conferencing systems, digital video systems used for consultations and remote procedures, and Internet-connected medical devices such as insulin pumps, pacemakers, and MRI machines, said Kevin Hemsley, a project manager at the Idaho National Laboratory supporting the Department of Homeland Security’s Industrial Control Systems Computer Emergency Response Team.

Kevin Hemsley Patrice Wendling/Frontline Medical News

Kevin Hemsley

While providers love the ability to use the Internet to control and monitor devices, ingrained security mechanisms can be minimal. This makes for low-hanging fruit for thieves who can enter the system and even lock up an otherwise safe device.

Mr. Hemsley noted that a 2014 report by the Internet security and training firm SANS found that 33% of malicious traffic passed through or was transmitted from VPN applications and devices versus 16% from firewalls, 7% from routers, and 3% from enterprise network controllers.

“One of the messages here is to look at cyber security as being more than HIPPA, it’s patient safety,” he said.

Both experts advised physicians and other health care providers to update their privacy and security software frequently. Available resources include the FBI’s 24-hour CyWatch (855-292-3937/cywatch@ic.fbi.gov), Cyber Task Force (with 56 local field offices), and for individuals, the Internet Crime Complaint Center (www.ic3.gov).

Speedy communication with officials following a data breech is important not just to get the institution’s system back up and running, but it allows officials to identify data footprints left by hackers before they are destroyed, Mr. Trainor said.

In two of the three recent high profile health care cyber attacks involving Community Health Systems (4.5 million accounts), Anthem Blue Cross Blue Shield (78 million records), and Premera Blue Cross (11 million consumers), the institutions contacted the FBI, but in one unnamed case, the FBI had to make the call, he pointed out.

pwendling@frontlinemedcom.com

Recommended Reading

Doctors support malpractice provision in SGR bill
MDedge Psychiatry
CMS: SGR repeal equals less pay in long-term
MDedge Psychiatry
Analysts predict swift passage of SGR repeal
MDedge Psychiatry
CMS formally proposes changes to EHR reporting period for 2015
MDedge Psychiatry
Health IT Roadmap draws comments
MDedge Psychiatry
Health data breaches compromised 29 million patient records in 2010-2013
MDedge Psychiatry
Senate passes SGR repeal
MDedge Psychiatry
ICD-10 update
MDedge Psychiatry
Mobile health survey: Half of providers see patient benefit
MDedge Psychiatry
CMS: A few claims were processed at 21% SGR cut level
MDedge Psychiatry