In healthcare, the access to data and information is so strongly demanded by patients, providers, payers and employees, that it is fast becoming a target of security and risk. Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) require organizations to implement safeguards to ensure the integrity and privacy of patient records. However, because the wealth of data in the industry that can be monetized by cyber criminals, healthcare organizations are now increasingly vulnerable to cybercrime.
Thus far in 2013, 48 percent of reported data breaches in the U.S. have been in the medical/healthcare industry, according to a breach report in May from the Identity Theft Resource Center. In 2012, there were 154 breaches in the medical and healthcare sector, accounting for 34.5 percent of all breaches in 2012, and 2,237,873 total records lost, the breach report found.
Undoubtedly, the proportion of healthcare data breaches is rising fast, with the largest majority targeting patient’s personal information. And industry-wide, organizations simply aren't doing enough to prevent theft by employees and unauthorized personnel, says Jason Polancich, a 20-year veteran of the U.S. intelligence community and co-founder of HackSurfer, a Maryland-based cybersecurity firm founded in 2012 that provides information to businesses regarding the cybercrime threats they face.
Earlier this year, HackSurfer announced the launch of its service to the public. Polancich says his goal is to create the world’s largest cybercrime event data warehouse, so people have basically the equivalent of weather information, which would include the industry that got hit, what happened, who did it, and how they did it. Polancich recently spoke with Healthcare Informatics Assistant Editor Rajiv Leventhal about how data breaches occur, what the biggest data security challenges to healthcare organizations are, and how organizations can better prevent and anticipate these attacks. Below are excerpts from that interview.
What makes healthcare data so wide open for cybercrime? Is this an issue that is worse than ever before?
Yes, in a few respects. There are complex analytics that we love about healthcare and cybercrime—particularly, how the crimes are being carried out and what they’re resulting in for the practices. Employee negligence and data theft are the two big reasons for it; people see healthcare as a serious treasure trove for personal identifiable information. For healthcare organizations, IT security is not often the first concern—I’m not saying that it is not paid attention to, but it is not a main priority. As such, people tend to have easier access to the data, including everyone down to the secretary who schedules appointments. Leaving data out, leaving laptops open, leaving medical equipment that stores patient data around are key problems. We see that more in healthcare than in any other industry.
What types of attacks are most common?
Data breaches are most common, and they can occur in a few says. Either employees are stealing the data, such as pharmaceutical and prescription data, and selling it, or they’re selling identities so these crime drug rings can use them to go out and falsify other information. But it’s all about the data. What can they get access to and what can they sell? So primarily what we see are network intrusions, or employees being paid to provide access to networks and systems. Employees are helping the bad guys for profit, and we’re seeing more of that this year.
What prevention methods can organizations take?
The best prevention method happens to be the least interesting. These organizations have to become more diligent about fundamental operational security practices. Who has access to the data? How is the data transferred around? Where are the vulnerable points? How do we make employees aware that these are the vulnerable stops? It’s a boring answer, but the reality is that companies don’t do a lot of education and training; HIPAA complaints are seen as a burden. If they start treating data security like it’s an infectious disease, (which it is), you will start to see a lot of this begin to go away.
Remember, healthcare organizations exist to help people; this is the mindset they have. As a result, I feel they are just not set up from the beginning to be disciplined about security and about watching over people. The last time I was at a hospital, I sat there waiting and watching as people got up and moved away from machines, moved away from equipment, left paperwork out, and left books out that had protocols for which systems to log into. Employees at a low level really don’t understand the risk because they’re not too affected, and corporations as a whole aren’t doing a good job in terms of IT spending, education, training, safeguard and controls. These prevention methods just don’t exist on the same level as in the technology industry or financial industry.
What kind of education do healthcare employees specifically need?
There a variety ways to educate employees. For example, most banking employees have security tools and equipment built into their desktops. Also, regular education seminars, materials, and required training classes on protecting data are the norm in other industries. A big piece of this is keeping up on what the threats are to your specific job. That is a problem in healthcare right now. Take a nurse for example—what is it about nursing that can be a cybercrime threat? Healthcare organizations really do very little of that at all, if any at all.
And contrary to popular belief, more spending is not really the answer. You see that in the press, but what are they spending it on? Are they getting return on their investment? Rather than hiring an outside security expert, a better allocation of resources would be an education program. That would really help people understand what their roles and options are when it comes to data security.
What lessons have the flood of data breaches in healthcare taught the industry?
It’s gotten to the point where cybercrime is beyond anticipation—you need to expect it every hour, every day. The key thing about healthcare is that the industry’s data is valuable. The biggest problem is that the data is everywhere, like an infectious disease virus. And in healthcare, people tend to go to multiple systems when they have a problem. They might go to a physical therapist, a referring doctor, a lab, and a hospital. Unlike in other industries, organizations don’t study their supply chain in regards to cybercrime. In reality, companies need to apply the same discipline and preventative measures they do with infectious diseases and hygiene to their IT, their data, and their networks. But they don’t seem to be doing it even though there is a similar parallel. This is the most critical problem and the key lesson to be learned.