Prior to 1960, all medical records were kept on papers. Medical staff used to label records using the patient’s name and the last few digits of the patient’s social security number.
Revolution hit the medical industry when during the mid-1960, Lockheed developed the first of its kind electronic system known as a clinical information system. Soon after the first breakthrough, many other companies developed electronic medical record systems, without knowing a great threat – data breach!
In 2005, when the threat finally popped up with first-ever data breach of 1.4 million credit card numbers, every industry including the healthcare industry braced for the impact.
Currently, In 2020, the healthcare industry is most vulnerable to data breaches due to large amounts of patient data and the COVID-19 situation. The centralized storage of patient data (in the EHR system) also makes the healthcare industry an easy target of cybercriminals.
Sensing the urgency, I will share a 3-way approach to prevent EHR hacking or data breach in 2020. But before discussing that, let’s first discuss the top medical data breaches in history.
Top 3 medical data breaches in history:
AMCA data breach – 12 million patients
In early May 2020, the 8-K form filing revealed that American Medical Collection Agency was hacked between August 1, 2018, and March 30, 2019. Hackers stole lab testing results and social security numbers of 12 million patients.
Dominion National: 2.96 million patients
Insurer Dominion National found an alert of unauthorized user access which prompted the investigation. During the investigation, they found that unauthorized users have been accessing their server since August 2010 and potentially breached the data of 2.96 million patients.
Inmediata Health Group: 1.5 million patients
Due to a misconfigured database, the Inmediata Health Group experienced a data breach of 1.5 million patient records. Cybercriminals stole patient demographic information, medical claims data and other personal information.
After knowing the top data breaches in the healthcare industry, you must be wondering why hackers are stealing data or how hackers make money out of stolen patient data. Let’s answer the most anticipated question.
3 ways hackers make money out of stolen data
As soon as hackers steal the patient data, the first step they execute is data organization. They organize the data, find valuable information out of it and prepare a proper database. Valuable information includes phone numbers, financial information, social security numbers, credentials etc.
Once they organize the data, they have multiple ways to make money out of it.
Use stolen data for themselves
To avoid getting caught easily, hackers rarely use stolen data for themselves. But when hackers use stolen data for themselves, they purchase items online, make fraudulent health insurance claims, extract money from patients’ bank accounts etc.
Login credentials selling
Hackers usually sell login credentials of different healthcare platforms such as insurance platforms and telehealth platforms to the dark web. The buyers use these credentials to make false identities and make fraudulent health insurance claims.
PII (Personal Identity Information) selling
This is the most preferred way of hackers to make money out of stolen data. They sell personal information of patients to underground marketplaces that are accessible on the dark web.
Generally, hackers sell PII in bulk. They earn money based on how recent the stolen data is. The more recent data means the more money!
Here is the worth of patient data in underground marketplaces:
Basic data such as name, security number, and date of birth: $0.10 – $1.50.
Medical notes and prescriptions: $15-$20.
Medical mobile app accounts – $15-$25
The full package including all personal and financial information: $35 – $100.
Here, it is worth mentioning that an EHR system or software accommodates all such information. According to a study, nearly 60 percent of hospitals have experienced electronic health record (EHR) disruptions. Thus, it becomes an urgency to discuss ways to prevent an EHR data breach.
3-way approach to prevent EHR hacking or patient data breach
Preventing EHR hacking is not a step, it is a process that you have to keep following until you use the EHR system. Since cybercriminals are using multiple hacking techniques to steal the data, you also have to ramp up your efforts and do not rely only on one approach.
The following is the 3-way approach which you can consider to prevent EHR hacking.
Contingency Plan:
Do not assume that you are not on the radar of cybercriminals. Instead, always prepare for the worst.
The contingency plan prepares your IT infrastructure and healthcare organization to lock horns with cybercriminals. It makes sure that you are prepared to survive a cyber-attack.
The contingency plan includes,
Data backup plan
Disaster recovery plan
Technical assessment of network and EHR
The technical assessment of the network and EHR system helps you know the loopholes in the network and EHR system setup which hackers could use to breach data. It also helps you,
Discover potential threats
Implementation of workable cyber security techniques
Remain consistent with appropriate security measures
Staff training
It is crucial to monitor your users’ online activity as many times users click on malicious links and open doors for hackers. Users unknowingly favour hackers in many situations as they lack the basic understanding of cybersecurity. Thus, you should train your users and execute many steps at the administrative level.
Provide proper training for employees
Periodically check cybersecurity knowledge level of employees
Allocate a security official to draft and execute security policies and procedures
In the nutshell:
A cyber attack is a nightmare for any healthcare organization, especially a cyber attack which forces them to completely halt the operations. Due to the centralized storage of data and healthcare professionals lacking basic cybersecurity knowledge, healthcare organizations have become easy targets of cybercriminals.
In this blog, we have shared a 3-way approach- to prevent EHR hacking or patient data breach in healthcare organizations. Summing up the 3-way plan, healthcare organizations should prepare for the worst, carry out technical assessments and train their staff to not make costly mistakes.