Medical Data is a Hacker’s Hot Ticket

Aug 28, 2023 | Security, Threats

Good as Gold

Medical groups, labs, clinics, and hospitals are a hacker’s Fort Knox. The data in their systems sells for top dollar on the dark web.  A single medical record can sell for $1000. The beauty of medical data is that it can’t be canceled, like a stolen credit card.

Medical records are the perfect tool for identity theft…

How will your patient feel getting billed for a heart surgery they never had because your practice got hacked?

 

 Healthcare Data: Come and Get It

Over 28M+ healthcare records were breached in 2022, according to the U.S. Department of Health and Human Services.

It’s important to remember these records are regulated. Breaches are considered HIPAA violations and don’t come cheap. Noncompliance penalties depend on the level of negligence. Those can start at $100 per violation (or per record) and go up to $50,000 each, with a max penalty of $1.5 million per year. Violations can also carry criminal charges that can result in jail time.

HIPAA uses a four-tiered system to assess culpability and issues fines based on the organization’s compliance with regulations.

  1. Lack of knowledge.
  2.  Reasonable cause.
  3. Willful neglect.
  4. Willful neglect not corrected within 30 days.

It doesn’t matter if you run a big healthcare conglomerate or have a small practice.  They’re coming for you.

The Big

Large hospitals or national medical groups are keenly aware of cybercrime potential. They have the money to invest, but their unique environment works against them. They are inconsistent in updating security patches or firmware, making it easier for bad actors to get in.

  • The medical industry relies on custom applications lending itself to undiscovered vulnerabilities.
  •  IoT devices are driving real-time data collection. These devices come to market quickly, focusing on function vs. security.
  • Concerns about how system changes might impact HIPPA and other oversight agencies end up slowing the patch process to a crawl.
  • The need to maintain patient quality raises concerns about adopting software patches or making changes that could cause a system disruption or jeopardize patient care.

However legitimate those concerns may feel, they are setting in motion exactly what the organization fears most. Hidden vulnerabilities and an easy point of entry for bad actors.  InfoSec reports that by July 2023, thirty-three  hospitals have already been hit by ransomware.

The Small

Local medical groups, labs, clinics and small practices typically don’t invest much in cyber crime prevention or have in-house IT staff. Too often think they fly under the radar because of their size. That very notion marks them as an easy target. Let’s see just how small the value of their data is.

In N.C., medical records must be held by the medical practice for 11 years. Let’s say your practice sees 2000 patients in its first year. Those records need to be held. Then if your practice grows at roughly 10% a year. In 11 years, your EMR will hold 5187 records.

At $1000 a pop, your data is worth $518,700 on the dark web. 

But here’s where it hurts – the average cost resulting from a medical breach is $499 per exposed record.  See what it costs you (with your real record count…)

Calculate The Cost of Your Breach

Input the number of patient records in your EMR to see the cost of a breach in at your practice.

Third-Party Access

All healthcare organizations rely on outsourced third-party service providers. Those are the medical billing companies, transcriptionists, payment processors, IT contractors, insurance companies, and accountants, to name a few. They all need access to the system, so while you’re watching out for your organization you have no clue what’s going with theirs.

Here’s some interesting examples.

  • Pharmacy services provider PharMerica experienced a massive data breach exposing the medical data of over 5.8 million patients. The company operates in all 50 states, operating 180 local and 70,000 backup pharmacies, and serving 3,100 medical facilities nationwide. A ransomware gang, Money Message, claimed credit for the attack and proved it by publishing some stolen data
  •  Shields Health Care Group, A medical imaging and outpatient surgical services provider exposed the data of 2 million New England patients who received care at about 60 facilities affiliated with Shields.
  •  A ransomware attack on a medical debt collections agency, exposed the data of almost 2 million patients, according to HHS’ breach reporting portal.  Professional Finance Company (PFC) disclosed the attack earlier this month, informing more than 650 of its healthcare provider clients that their data may have been affected.

foxhole does Third Party vendor Assessments

One of the services we offer clients is a deep dive into the third-parties with access to your system.We examine their privacy and security protocols, look at their breach history, the level of access they have and the number of people who have it. We check for dormant accounts primed for credential stealing and check BYOD policies.  If a person has remote access to your system on a personal device, everything on that device has access too. We look at server locations and proxies, as well as the country/state laws governing hacked incidents. The deliverable is report that identifies and ranks risk with recommendations regarding each relationship.

Preparation and Prevention

Smaller medical groups need to take precautions. Instead of thinking it won’t happen to you, plan on it happening.

  • Back up your data on an offline external hard drive daily.
  • Pay for good malware protection.
  • Understand the threats you face.
  • Create policies and procedures for handling a hack.
  • Engage professional cyber experts, like Trustwave for managed detection and response.

Services We Offer

Cyber Ed 101 for Executives: Cyber security is a critical component in decision-making. Leaders need to have a baseline on various threats severity of consequences and the impact on patient care.  This is a private one-on-one class to bring non-technical executives up to speed.

Cyber Security Documentation: We review plans, policies, and procedures specifically addressing cyber security. including a paper protocol and HIPAA compliance. We identify necessary updates and compare secondary policies on dormant accounts, social media, and remote access on personal devices. We offer a cyber security documentation bundle for new practices.

Third-Party Vendor Assessment: A list of third parties with access to your system is compiled. We review their breach history, their security protocols and applications, their employee training schedule, and social media policies. We also look at the BYOD policy and how many people are using their personal devices for remote access.

Cyber Security Staff Training: Staff training should begin as part of onboarding and be conducted quarterly. The easiest way for a hacker to get into your systems is when an employee clicks on a malicious link. Social media and BYOD policies should support cybercrime prevention.

Cyber Simulations: We offer a series of cyber simulations from phishing to social engineering to ChatGPT engagement.  Management determines the parameters for engaging with staff. We build the digital tools.

Contact us here.

Share This