Healthcare data at risk: why medical records are easy to hack, lucrative to sell
Stolen healthcare data can be worth 10 to 50 times more than payment card data in the cyber underground. Electronic health records fetch around $50 per record, according to the FBI. Some experts put that number as high as $500 for some type of medical records.
Credit and debit card numbers, by contrast, can sell for as little as $1 to $2 per account number.
“There’s an enormous online marketplace for these records,” says Kurt Stammberger, senior vice president of marketing at Norse, a security company that monitors malicious and criminal Internet traffic. “It’s like eBay — people bid, and there’s a ‘buy now’ price.’ ”
Healthcare companies are taking major financial hits—and writing off this exposure as an extraordinary cost of doing business. Details on the pain level for breached companies are surfacing, thanks to data breach disclosure rules under the Healthcare Insurance Portability and Accountability Act (HIPAA.) For instance:
• WellPoint Inc., a managed-care company, settled a case with the U.S. Department of Health and Human Services for $1.7 million last year. WellPoint allegedly left electronic records of more than 600,000 people accessible over the internet due to a security weakness.
• New York and Presbyterian Hospital and Columbia University agreed to a $4.8 million settlement earlier this year after substandard security led to 6,800 patient records becoming accessible by search engines online.
Individual consumers are getting harmed financially, as well, to the tune of $12.3 billion last year. Ponemon’s 2013 Survey on Medical Identity Theft found that more than one third of victims paid an average of $18,660 out of pocket to recover from data theft. That included being compelled to reimburse healthcare providers for services supplied to an impersonator.
Healthcare experts, privacy advocates and law enforcement officials acknowledge that the fundamental problem is mushrooming and won’t be easy to stabilize.
Part of the challenge is financial. The Affordable Care Act mandates that providers expend 80 to 85 percent of premiums on quality care—and that doesn’t include any provisions to prevent services from going to an identity thief.
According to Forrester research, only 18 percent of healthcare organizations’ tech spending budget goes to security, compared to 21 percent across all sectors. And most providers plan minimum or zero increase in budget.
Media reports concerning the Anthem breach have indicated that the compromised personal information wasn’t encrypted. Encryption – strong, modern algorithms properly implemented with tight key management – is the most effective way to protect data in 2015.
How do we know this? Edward Snowden, of course. He made it clear that the NSA is unable to break strong encryption. It’s likely no one else can, either. Many have expressed surprise that the Anthem data, clearly of a confidential nature and describing millions of people, was not encrypted. This may be because Anthem, like many companies operate strictly in their primary business – be it health care insurance, retail, banking or something else. Unfortunately, the reality of 2015 is that almost every business is an IT business, and part of IT is cybersecurity. It’s not an optional component. And when it comes to protecting data at rest or in motion, nothing works as well as encryption.
While encryption algorithms are relatively easy to implement in software, the ecosystem required to support them is much harder to put in place. Encryption systems are all about key management–making sure the proper key for the required operation can be found and used in a properly authorized manner. Some familiar (and older) forms of encryption, like S-MIME for e-mail and whole disk encryption like BitLocker, use a single key per system or user.
In the application space, large, sophisticated database vendors charge millions of dollars for bolt-on encryption modules. Organizations then have to alter their application software to take advantage of this technology, which is both expensive and time consuming.
To be effective and support the multiple applications needing access, multiple keys will have to be used. Distributing and managing the keys for these software modules adds friction to the system and makes it hard to keep everything in sync – raising maintenance and support costs. To further complicate use, glitches in the system could lead to lost data.
There is a better way: adding an encryption abstraction layer in between the application and the data storage and transport that’s invisible to the application and requires little change to either hardware or applications. Think of this as an encryption service or broker. It handles key management, authentication, and the actual encryption.
Such systems interface with existing LDAP-based identity management systems and are available today. While not without cost, such systems are more effective than an application rewrite. Organizations need to realize they are all in the IT business, and make 2015 the year of encryption.
Integra Systems, Inc., is working with enable the first ever point to point secure solution to directly target this requirement and need.