Many of the clients we work with are either a medical service provider or a vendor to medical service providers. If they are creating, transmitting or storing patient data, then they are a covered entity and therefore liable for compliance to HIPAA. What we often find is that clients are under the impression that HIPAA provides a set of specific instructions for how to secure a network and protect data. What they find out is there isn’t a yellow brick road leading to compliance. HIPAA lays out the results of information security efforts that are expected, but the clients are required to build the road to those results.
Many times the mindset is, we aren’t really a target like the financial industry or retailers, so we just need to make sure we don’t do something stupid and lose our data. This can no longer be the mindset. A recent CNN article sheds some light on why the healthcare industry and specifically medical records may become much more lucrative for data exfiltration. According to many sources, credit card numbers typically fetch about a $1-$2 but sometimes up to $100 on the black market depending on the metadata that is included. Many times they are unreliable and it can take hundreds or thousands of them in order to see any profits. On the other hand, medical records are fetching around $50 per record, according to Med Page Today. To put it in perspective, Target lost approximately 40 million credit card records in the initial breach. Based on the price on the black market, the data stolen could be worth up to $40 million. It won’t be quite that much because there will be duplicate records, expired credit cards, fraud protections in place and other factors that would reduce the total value of the data. Additionally, there are many systems in place to protect the use of that data as well as track down anyone who attempts to use it.
Why are medical records worth so much? What information can you gain from them? According to CNN and other sources, they can be used to maliciously bill organizations like medicare, and they can be used to impersonate patients so that attackers can obtain prescriptions to sell.
Let’s take a fictitious scenario where medical records are stolen from an exchange of hospitals. It would only take 800,000 records (compared to 40 million) to reach a potential $40 million in value. Additionally, those records will be more reliable because they can be used to exploit an industry that has yet to fully utilize modern security practices or checks. Not only can those records be used to defraud the government, according to the CNN article, they can be used to make patients liable for charges. Where credit card companies will forgive debts for fraudulent charges, there are not protections like this in place for patients and these situations could get quite complicated.
Time and time again, we find that healthcare organizations are behind on even using standard security practices. Gone are the days when the healthcare industry only needs protection from itself; the healthcare industry is seeing a real threat from malicious actors. They now have very valuable information, and if controls aren’t put into place to protect it, organizations could quickly see themselves becoming further and further behind the curve of protecting their information and their patients. Do you know where your organization stands when it comes to IT security and compliance?