What Can We Do to Address Our Dizzyingly Vulnerable Medical Data?

If you’re reading this, your personal
information has probably been hacked.

Almost certainly, you had your social security
number compromised in the massive Equifax breach. You probably had a credit card number stolen
in the skim of systems at Target, Kmart, UPS, Staples, Home Depot, Neiman Marcus, Hilton, Dairy Queen, or T.J. Maxx. You may have been one of the 21.5 million federal
employees who
had their private information pilfered in a malware attack. You likely had an
old password pilfered from a hack of Yahoo, Linkedin, AOL, Adobe, Ebay, Twitter, or Slack.

Though they’re less
frequently talked about, the electronic medical records systems used by health
systems and hospitals, health insurance companies, and their many thousands of
third-party partners are just as vulnerable to breaches as many of the
high-profile targets mentioned above. And the damages a serious healthcare
breach could wreak are a lot more consequential.

While medical data and
hospital functions may not seem as enticing to hackers as SSNs or banking
information, they’re actually more valuable. Experian, for example, estimates
that health records are worth up to 10 times more than credit card numbers on the black
market (some experts even put it as high as 100x). This is, in part, because criminals can use
medical data for a variety of damaging purposes, including prescription fraud,
insurance claim fraud, abusive ad targeting, and even blackmail. And, unlike a
credit card, medical records mostly contain information that can’t be cancelled
or changed and that is much more personal than a string of numbers. Think of
all the information a provider might have: a patient’s complete psychiatric
record, sexual history, sensitive diagnoses, medication histories, and more.
There’s a reason the government has ironclad laws like HIPAA that require healthcare record
holders to protect the privacy of this kind of patient data.

Though we haven’t seen an
Equifax-scale incident hit healthcare yet, a quiet epidemic of medical data
breaches has already started. The Protenus Breach Barometer reports that 477 health data breach
incidents
occurred in 2017 (Editors note: In addition to being one of our outstanding
Fellows, Robert Lord is also the co-founder and President of Protenus). In the
past three years, hackers have leveraged ransomware to cripple hospitals across
the world, shutting down operations for days at a time until the ransom is
paid. In the WannaCry attack that hit around 200,000 systems in May 2017,
doctors were blocked from accessing patient files and emergency rooms were
forced to send sick people away. In 2015, hackers, likely acting on
behalf of a foreign government, accessed a database kept by the insurance company Anthem that
contained records of approximately 78.8 million consumers and staff. In the
last three years, almost half of Americans’—over 160 million
individuals—sensitive health
information has been exposed through data breaches.

Just weeks ago, news
broke that a group known as Dark Overlord hacked into the
systems of London Bridge Plastic Surgery, a business that allegedly caters to elite,
celebrity, and royal clientele. According to The Daily Beast, the collective claims the trove of data they stole includes graphic
photos of “in-progress genitalia and breast enhancement” and post-op
patient bodies that include faces. As Jacob Brogan wrote for Slate’s “Future
Tense”, it should serve as a chilling warning about
how vulnerable our sensitive medical data can be.

Over the past decade,
healthcare has has transformed from a heavily analogue, paper-based paradigm
for record-keeping to one that is almost entirely digital.  The federal government, hospitals, and
providers have rightly pushed for this migration from paper to electronic
medical records, which allow for more efficient and accurate sharing of patient
information across facilities (though controversies and challenges remain on
this front). Thanks in part to a $30 billion investment authorized by Congress
in the HITECH Act, over 96 percent of
hospitals now
use some form of electronic health records (EHRs).

With this increase in the
amount of electronic patient data comes a new set of complex security concerns.
Increasingly, patients are given access to their data through online patient
portals. Health Information Exchanges (HIEs) give providers a means to improve
patient safety, quality of care, and to reduce healthcare costs, but do so by
allowing them to access patient data from facilities other than their own.  Trends like telehealth (a broadly-defined set
of technologies used to care for, monitor, and educate patients), personalized
medicine, and population health have also led healthcare technologists and
advocates to push for more and easier modes to view, track, and update health
information. While third parties like community physicians, affiliates, and
vendors are often long-time trusted partners, they constitute yet another large
segment of new EHR users with access to patient data. As more individuals gain
access to patient information, significant new patient privacy monitoring
challenges also rise.

Indeed, though this
increasing flow of data gives patients and providers greater autonomy and
choice, each access point becomes a potential weak link that hackers can
exploit.

So, here’s the question
we have to answer: what can we do to address our dizzyingly vulnerable medical
data?

In short, continue to
build the capacity of the healthcare sector to combat these emerging cyber
threats. According to cybersecurity professionals, a single technical solution
is insufficient to protect data, so they often suggest employing “layered
defenses,” a strategy that, as the name suggests, takes a layered approach to
securing information. This might include using multiple technologies such as
anti-virus solutions and firewalls, tools such as multi-factor authentication
and encryption that make data inaccessible in the case of an attack, and
training modules that inform employees how to identify phishing emails. With
each layer, it becomes harder for bad guys to make their way to the crown jewels:
data with high commercial or political value. The harder it is to compromise
our systems, the more likely cyber criminals are to look for easier targets
outside of healthcare.

However, even in cases
where healthcare technologists are fortifying medical data defenses, they’re
usually making the problematic assumption that the bad guys will always come
from outside of their organization. Because healthcare workers are
responsible for your care, they have (and need) privileged access to your
health data. But with the wrong intentions, they are also insiders who might
benefit or profit from it. Whether a curious nurse looks up the medical history
of a professional athlete, a doctor inappropriately views the records of
colleagues, a technician reviews lab results for a spouse during a bitter
divorce, or an insurance auditor batch downloads claim records, these everyday
breaches can have huge consequences for the lives, livelihoods, and dignity of
patients.

While it’s heartening to
see healthcare organizations allocating resources to stopping external threats
to patient data—85 percent of
healthcare organizations have increased cybersecurity spending the past year,
and 12 percent increased these budgets by more than 50 percent—over 40 percent of healthcare breaches this
year have stemmed from insider activity. It’s clear that healthcare
organization needs to also invest in solutions to curb dangerous insider
behavior. 92 percent of
healthcare IT decision-makers reported that their organizations are vulnerable to insider threats and
62 percent of respondents identified privileged users—those who have access to
all resources available from systems they manage—as the most dangerous type of
insider. Think a mid-level employee hoping to skim a bit off the top of the firm’s
transactions, or a mole sent in by a criminal network to scrape account
numbers.

So, perhaps to slightly
edit the first question we posed: What can we do to address our medical data
that is increasingly vulnerable to healthcare insiders?

Three key stakeholder
groups need to be involved.

The first is healthcare
institutions, which would be well-suited to take a lesson from the financial
sector’s playbook on tackling this challenge in the electronic banking realm.
The industry has in large measure been successful because financial
institutions have invested heavily in identifying good cybersecurity practices
and training their employees, attracting top cybersecurity talent, and
investing in innovative technical solutions. Today, most major financial
institutions now deploy layers of security to combat both external and internal threats to the
integrity of their systems. This means that they install firewalls, anti-virus,
two-factor authentication and the like, as well as behavior monitoring
analytics that gather insight and continuously monitor how users move throughout
systems and interact with sensitive data. Today, with help of insight available
from these monitoring systems, less than 5 percent of financial data breaches
come from insiders, a statistic that healthcare organization should strive for.

The government plays a
central role not only in establishing standards that ensure healthcare
organizations’ privacy and security. 
However, over the past decade, it has devoted a disproportionate amount
of effort and capital to the digitization and interconnection of America’s
health IT infrastructure, implicitly prioritizing modernization over security,
privacy and safety. Now, it must incentivize the adoption of practices and
technologies that help combat both internal and external threats in order to
ensure the safety of the infrastructure that it has helped build.

Patients are the third,
and as always, most important, stakeholder. After all, it is their wellbeing
that is at stake when it comes to healthcare privacy breaches. Trust serves as
the basis of any long-term patient-provider relationship. As technology plays
an increasingly important role in delivering healthcare, diagnosing disease,
and facilitating patient-provider communication, patients must be able to trust
these systems just as they do their doctors. It is in our own best interests
for all of us to hold systems accountable and vote with our wallets—if our
health systems won’t make the changes necessary to protect our data (and make
these technologies and policies transparent to anyone who would like to learn
about them), we should consider finding more trustworthy providers.

Digitizing medical records and health data
systems has done enormous good in making care more efficient and giving more
power to patients in their health decisions. But it has also opened patients to
new risks. Millions of patients have had sensitive diagnoses exposed over the
years from data breaches, and we are not doing enough to be able to credibly
tell them that this won’t continue to happen. If we are to augment (or even
maintain) the gains that we’ve made in healthcare’s digital transformation, we
must prioritize the trustworthiness of these new technologies, and respect the
sacred obligation that we have to defend our patients from harm and indignity.