Epidemic of Healthcare Data Breaches

hipaa symbolLike a body with a weakened immune system, the Healthcare sector is being attacked on many fronts. From hackers in China, to the drug infusion pumps mainlining meds to hospital patients, we are vulnerable.

One in three patients had their medical records exposed in 2015, and 2016 is predicted to be as bad or worse. Healthcare organizations are a soft, lucrative target for cybercriminals, but human negligence and malicious intent also take a toll.

In 2015 three of the seven largest data breaches were in the healthcare industry. The Retail and Financial sectors have long been the favorites of hackers, but much of that attention has been refocused on healthcare. 

The number of records stolen in the top three healthcare breaches were

Anthem: 78,800,000
Premera BlueCross: 11,000,000
Excellus BlueCross BlueShield: 10,000,000

According to the Bitglass Healthcare Breach Report 113,200,387 records were exposed in 2015. Compare that to 2014 when the total was 12,564,137. A nearly 10 fold increase. The big news is the type of breach.

Breach by Type

The majority of incidents of breach were due to human error, but when it comes to the number of records stolen, 98% of exposed records were hacked. The three largest breaches alone amounted to nearly 100 million records.

People tend to think of hacks in terms of stolen credit cards, but there are several reasons why Healthcare data is so desirable to cybercriminals.

Hacked credit cards generally have a short shelf life.  The issuer can shut down the account and issue a new card. Healthcare data however, often contains everything needed to apply for and receive a brand new credit card - name, address, date of birth and social security number.  The new card takes much longer to recognize as fraudulent, and with restrained spending by the thief and no credit monitoring by the victim, it can last a good long time.  

Good for more than just a new credit card, healthcare data is perfect for identity theft. According to the Identity Theft Resource Center, 2014 was the year of the credit card breach. 2015 they say, is the year of the Social Security Number breach. Social Security numbers present far greater opportunities for thieves, and greater risk and trouble for affected consumers.

Healthcare organizations not only possess valuable data, but they pose a soft target as well. The Financial Services and Retail sectors are far better defended, with more sophisticated security technology and a heavier overall investment in IT.

The scope of HIPAA is quite limited, particularly in the face of today's connected devices and electronic storage of health data. HIPAA regulations apply to "covered entities" - health providers, insurers, and data clearinghouses, as well as their business partners.

Not covered are home DNA and paternity tests, health apps, and fitness trackers. The amount of consumer generated health information is ever increasing, and not only is it unregulated, it is often poorly protected.

Genealogy buffs submit their DNA for genetic profiling, apps track activity of all sorts and often send it unencrypted to third party websites, paternity test results are accessed online, heart and fetal monitors talk to smart phones, and medical records are stored in mobile virtual file cabinets.

The news has been full of stories about hacked devices from electric skateboards to Barbie dolls. In August two white-hat hackers developed an exploit into a $1500 electric skateboard via Bluetooth. They were able to take control of the boards, which travel at 20 or 25 mph, and slam on the brakes or turn sharply. They called the hack, aptly, FacePlant.

Hello Barbie, the new interactive WiFi enabled doll, was easily hacked. Researchers were able to gain access to account information and to the microphone, using it to listen to the children. Baby monitors are under investigation again, after complaints of unauthorized access to cameras and incidents of hackers watching and talking to (or worse) babies through the monitors.

These examples, affecting modern devices that have security requirements, make it easier to believe how vulnerable medical devices can be. 

A security researcher found vulnerabilities in a hospital drug pump that enable remote access to the device which automatically dispenses drugs to hospital patients. It is possible to change the dosage of the drug being delivered automatically to the patient, and also to change the display screen to say that the correct dosage was going in.

Cases like these, others of which include hackable implants and bedside devices, get the headlines. But other, less sensational issues pose a more common and likely risk. Hospitals are notorious for having computers with old operating systems, known to be vulnerable to malware and often unpatched.

Medical devices tend to stay in use for a long time, and when they were created there was little focus on security. Inventors did not anticipate the connected environment the devices would be working in one day, or the cybersecurity threats. Legacy devices, in a sector known for poor maintenance and minimal security, are now connected to networks and often the internet.

"I am the Cavalry" is a cybersecurity volunteer association focused on public safety. On January 19th, 2016 I am the Cavalry called for a Hippocratic Oath for Connected Medical Devices.

Complex, software-driven, connected technologies are advancing healthcare and saving lives in ways that are impossible without them. But their connectivity makes them vulnerable.

"We want to head off unintended consequences by guiding manufacturers to build devices that are resilient against the accidents and adversaries of a connected environment,” said Beau Woods of I Am The Cavalry. “We’ve seen a lot of progress in the last two years, as stakeholders have started to proactively collaborate to advance cyber safety. We applaud those efforts and encourage others to ensure we are safer, sooner, together.”

BITGLASS Healthcare Breach Report

I am the Cavalry Hippocratic Oath

Risks of Health and Fitness Apps

Hospital Drug Pumps

HIPAA Data Breaches