Cyber security has recently become a major concern for large companies, governments and individuals in line with the rising number of hacking attacks and the leakage of large amounts of data.
Hackers now appear more interested in stealing medical records rather than electronic data as the former proves to be more profitable and less risky, according to security experts.
IB Times UK spoke with Kelly Yee, Vice President at Penango, the secure webmail and encryption company in the US, about the recent cyber attacks and hackers' preference for medical data rather than credit and debit card data.
She discusses below why medical information is "the triple crown of stolen data for hackers", what are the financial and legal consequences of a healthcare record security breach, and how healthcare institutions can better protect their customers' data.
Q: How do you assess the severity of recent hacking attacks?
Hacking of recent medical providers has increased over the past few months but will continue to increase in severity in the future. A few reasons:
- Medical records have a treasure trove of information.
- Stealing medical information is relatively easy, as most electronic records management systems were not built for attacks.
- Stealing credit card information is no longer lucrative to thieves. Credit card companies have sophisticated fraud detection software, which makes it not worth the trouble for attackers.
Q: Why are hackers willing to pay up to 20 times more for health information than for credit card information?
Medical information is the triple crown of stolen data for hackers. First, they can steal patients' data including social security numbers, home addresses and medical history. With this information, one could apply for a line of credit or, even possibly, secure prescription drugs by using the stolen identities.
Secondly, medical providers need to adhere to HIPAA, which protects a patient's information. Any kind of security breach could make the provider liable criminally and civilly. That information is worth millions to the medical provider.
Thirdly, attackers may be able to glean intellectual property, such as medical device and drug trial data. Imagine that a pharmaceutical company is working on a breakthrough drug that has shown promise in late stage cancer patients.
They are not yet done with all the FDA approval processes but are in the final home stretch. That company may have many competitors who are working on the same thing, but they are all behind in development.
Needless to say, all the information is highly confidential. Imagine that this company has been working with a medical provider on several trials, in which, the numbers tell a story.
Now, they find that there is a breach in patient records, which have information of the drug trial and that information can be purchased on the black market. How much would that company pay to keep that information private? How much would their competitor pay to see their trial numbers?
Q: What are the consequences (financial and legal) of a healthcare record security breach to the consumers and healthcare organisations?
From a financial standpoint, the medical provider could stand to lose millions and even their business. Patients might feel like their trust is violated and choose another provider to take care of their medical needs.
Again, pharmaceutical companies and medical device companies could stand to lose their edge of years of research and development, worth hundreds of millions.
Depending on the way the patient's medical records were stored and secured, the medical provider could be found in violation of HIPAA. If a violation was found, the provider could be found liable in a criminal and civil court of law.
Q: What do hackers do with the medical and health information stolen?
Attackers sell the medical information to the highest bidder on the black market. The black market is sophisticated now, and is much like what you see on eBay.
Gone are the days that the waiter steals your credit card information and goes on a shopping spree. Many attackers are specialised in their field: they lift information and sell the data. The data is then mined by other malicious parties, to open up lines of credit, illegally buy pharmaceutical drugs, or extort companies.
Q: How can hospitals and healthcare systems better protect their patients' health information?
Work with vendors to make sure that security is one of the main priorities, not just electronic records management. Treat medical records like a form of important and secure communication, like email.
Take precautions to protect the data like you would with email and encrypt the data.
Make sure that you trust the person who is accessing the data. Use techniques like two-factor authentication which adds an additional layer of security when accessing the data.
For instance at Penango, we make sure that correspondence between healthcare providers, hospitals and patients is encrypted at all times – at rest and in transit. That way if someone else intercepts the information, it is unreadable, because it is encrypted.
Q: Why has the responsibility of securing patient's data fallen on the healthcare systems vs the government?
Just like the FAA has regulations for the airline industry, HIPPA is a regulatory act for the healthcare industry. Since (most) medical providers are not government operated practices, ultimately the (mostly private) healthcare system is responsible. Any government- owned healthcare system, like the VA hospital, must adhere to the same regulations.
Kelly Yee is Vice President responsible for growing awareness and client user base for Penango, a secure webmail and encryption company based in California. She has over 15 years of experience with a strong background in the data availability sector selling Symantec, Quantum and EMC. Kelly has co-founded a digital marketing company called RipMedia Group as well as helped grow many start-ups in the area of business plan development, market entry and channel expansion.