Modern Piracy: Vulnerable Electronic Health Records

March 26, 2015

The security breaches that occurred last year at retailers like Home Depot, Target, and Michaels shocked consumers and experts alike.  An astonishing number of consumers were affected by the breaches. Home Depot reported 56 million debit and credit card holders were affected, while Target reported 40 million credit card numbers and 70 million phone numbers and addresses were lost. To put the vastness of the breaches in perspective, the number of consumers affected in each breach is more that than the entire population of France.

High volume hauls are key for identity and credit card theft since according to the FBI Cyber Division, the value of credit card numbers and general personal information is unexpectedly low at $1 per credit card number.

However, cyber criminals have identified a far more lucrative target in electronic health records. The criminals may blackmail the healthcare entity for a lump sum payment to make the problem go away without publicity. Criminals can also comb through their haul of health records, looking for specific information to blackmail wealthy or powerful patients. Without the blackmail option, the electronic health records are incredibly valuable with a single partial healthcare record selling on the black market for $50.  Furthermore, the electronic health record can be used to file fraudulent insurance claims, obtain prescription medications, as well as the more traditional identity theft.
The federal government mandated transition to electronic medical records by January 1, 2015 and many providers were not prepared to handle the records, let alone properly secure them from cyber criminals.  Unfortunately, the time to detect the theft of electronic health records is almost double that of traditional identity theft because it is more difficult to discover.
Further compounding the issue is the lack of security within the healthcare industry.  In 2014, it was reported that 45% of organizations had not implemented security measures to protect patient information. This month saw a massive breach at the health insurance company Anthem in which hackers gained access to information on as many as 80 million Americans.The huge healthcare firm did not encrypt the large volume of personal information it held, which is seemingly impossible given the increasing frequency of cyber crimes seeking such information.  According to Anthem, “[t]he information accessed may have included names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, employment information, including income data. We have no reason to believe credit card or banking information was compromised.”  But as stated above, the real value for the cyber criminal is the health-related data, not the credit card information.
Anthem has offered credit-monitoring services to customers, which has seemingly become the standard corporate response to apologize for the lack of protection of sensitive data.   Perhaps the issue is the failure to recognize the sensitivity and black market value of the data in an electronic health record.  Perhaps the issue is the frenetic pace of the conversion of records to electronic media.  Likely, it is both.  A firm that monitors networks says that health care providers have been rushing the digitization.  When one provider was asked how many computers they had, they answered between 300,000 and 500,000.  Needless to say, that provider lacked a precise understanding of their systems.  If this is commonplace, then the healthcare industry has a long road ahead.
Until the true value of the health record data is realized and proper levels of protection are implemented, we should expect many more headlines revealing breaches by cyber criminals.  As consumers, we will need to be vigilant not only with our credit card information, but also where possible, our healthcare data.