What Can We Do to Address Our Dizzyingly Vulnerable Medical Data?

Blog Post
Feb. 5, 2018

If you’re reading this, your personal information has probably been hacked.

Almost certainly, you had your social security number compromised in the massive Equifax breach. You probably had a credit card number stolen in the skim of systems at Target, Kmart, UPS, Staples, Home Depot, Neiman Marcus, Hilton, Dairy Queen, or T.J. Maxx. You may have been one of the 21.5 million federal employees who had their private information pilfered in a malware attack. You likely had an old password pilfered from a hack of Yahoo, Linkedin, AOL, Adobe, Ebay, Twitter, or Slack.

Though they’re less frequently talked about, the electronic medical records systems used by health systems and hospitals, health insurance companies, and their many thousands of third-party partners are just as vulnerable to breaches as many of the high-profile targets mentioned above. And the damages a serious healthcare breach could wreak are a lot more consequential.

While medical data and hospital functions may not seem as enticing to hackers as SSNs or banking information, they’re actually more valuable. Experian, for example, estimates that health records are worth up to 10 times more than credit card numbers on the black market (some experts even put it as high as 100x). This is, in part, because criminals can use medical data for a variety of damaging purposes, including prescription fraud, insurance claim fraud, abusive ad targeting, and even blackmail. And, unlike a credit card, medical records mostly contain information that can’t be cancelled or changed and that is much more personal than a string of numbers. Think of all the information a provider might have: a patient’s complete psychiatric record, sexual history, sensitive diagnoses, medication histories, and more. There’s a reason the government has ironclad laws like HIPAA that require healthcare record holders to protect the privacy of this kind of patient data.

Though we haven’t seen an Equifax-scale incident hit healthcare yet, a quiet epidemic of medical data breaches has already started. The Protenus Breach Barometer reports that 477 health data breach incidents occurred in 2017 (Editors note: In addition to being one of our outstanding Fellows, Robert Lord is also the co-founder and President of Protenus). In the past three years, hackers have leveraged ransomware to cripple hospitals across the world, shutting down operations for days at a time until the ransom is paid. In the WannaCry attack that hit around 200,000 systems in May 2017, doctors were blocked from accessing patient files and emergency rooms were forced to send sick people away. In 2015, hackers, likely acting on behalf of a foreign government, accessed a database kept by the insurance company Anthem that contained records of approximately 78.8 million consumers and staff. In the last three years, almost half of Americans’—over 160 million individuals—sensitive health information has been exposed through data breaches.

Just weeks ago, news broke that a group known as Dark Overlord hacked into the systems of London Bridge Plastic Surgery, a business that allegedly caters to elite, celebrity, and royal clientele. According to The Daily Beast, the collective claims the trove of data they stole includes graphic photos of "in-progress genitalia and breast enhancement" and post-op patient bodies that include faces. As Jacob Brogan wrote for Slate’s "Future Tense", it should serve as a chilling warning about how vulnerable our sensitive medical data can be.

Over the past decade, healthcare has has transformed from a heavily analogue, paper-based paradigm for record-keeping to one that is almost entirely digital.  The federal government, hospitals, and providers have rightly pushed for this migration from paper to electronic medical records, which allow for more efficient and accurate sharing of patient information across facilities (though controversies and challenges remain on this front). Thanks in part to a $30 billion investment authorized by Congress in the HITECH Act, over 96 percent of hospitals now use some form of electronic health records (EHRs).

With this increase in the amount of electronic patient data comes a new set of complex security concerns. Increasingly, patients are given access to their data through online patient portals. Health Information Exchanges (HIEs) give providers a means to improve patient safety, quality of care, and to reduce healthcare costs, but do so by allowing them to access patient data from facilities other than their own.  Trends like telehealth (a broadly-defined set of technologies used to care for, monitor, and educate patients), personalized medicine, and population health have also led healthcare technologists and advocates to push for more and easier modes to view, track, and update health information. While third parties like community physicians, affiliates, and vendors are often long-time trusted partners, they constitute yet another large segment of new EHR users with access to patient data. As more individuals gain access to patient information, significant new patient privacy monitoring challenges also rise.

Indeed, though this increasing flow of data gives patients and providers greater autonomy and choice, each access point becomes a potential weak link that hackers can exploit.

So, here’s the question we have to answer: what can we do to address our dizzyingly vulnerable medical data?

In short, continue to build the capacity of the healthcare sector to combat these emerging cyber threats. According to cybersecurity professionals, a single technical solution is insufficient to protect data, so they often suggest employing “layered defenses,” a strategy that, as the name suggests, takes a layered approach to securing information. This might include using multiple technologies such as anti-virus solutions and firewalls, tools such as multi-factor authentication and encryption that make data inaccessible in the case of an attack, and training modules that inform employees how to identify phishing emails. With each layer, it becomes harder for bad guys to make their way to the crown jewels: data with high commercial or political value. The harder it is to compromise our systems, the more likely cyber criminals are to look for easier targets outside of healthcare.

However, even in cases where healthcare technologists are fortifying medical data defenses, they’re usually making the problematic assumption that the bad guys will always come from outside of their organization. Because healthcare workers are responsible for your care, they have (and need) privileged access to your health data. But with the wrong intentions, they are also insiders who might benefit or profit from it. Whether a curious nurse looks up the medical history of a professional athlete, a doctor inappropriately views the records of colleagues, a technician reviews lab results for a spouse during a bitter divorce, or an insurance auditor batch downloads claim records, these everyday breaches can have huge consequences for the lives, livelihoods, and dignity of patients.

While it’s heartening to see healthcare organizations allocating resources to stopping external threats to patient data—85 percent of healthcare organizations have increased cybersecurity spending the past year, and 12 percent increased these budgets by more than 50 percent—over 40 percent of healthcare breaches this year have stemmed from insider activity. It’s clear that healthcare organization needs to also invest in solutions to curb dangerous insider behavior. 92 percent of healthcare IT decision-makers reported that their organizations are vulnerable to insider threats and 62 percent of respondents identified privileged users—those who have access to all resources available from systems they manage—as the most dangerous type of insider. Think a mid-level employee hoping to skim a bit off the top of the firm’s transactions, or a mole sent in by a criminal network to scrape account numbers.

So, perhaps to slightly edit the first question we posed: What can we do to address our medical data that is increasingly vulnerable to healthcare insiders?

Three key stakeholder groups need to be involved.

The first is healthcare institutions, which would be well-suited to take a lesson from the financial sector’s playbook on tackling this challenge in the electronic banking realm. The industry has in large measure been successful because financial institutions have invested heavily in identifying good cybersecurity practices and training their employees, attracting top cybersecurity talent, and investing in innovative technical solutions. Today, most major financial institutions now deploy layers of security to combat both external and internal threats to the integrity of their systems. This means that they install firewalls, anti-virus, two-factor authentication and the like, as well as behavior monitoring analytics that gather insight and continuously monitor how users move throughout systems and interact with sensitive data. Today, with help of insight available from these monitoring systems, less than 5 percent of financial data breaches come from insiders, a statistic that healthcare organization should strive for.

The government plays a central role not only in establishing standards that ensure healthcare organizations’ privacy and security.  However, over the past decade, it has devoted a disproportionate amount of effort and capital to the digitization and interconnection of America’s health IT infrastructure, implicitly prioritizing modernization over security, privacy and safety. Now, it must incentivize the adoption of practices and technologies that help combat both internal and external threats in order to ensure the safety of the infrastructure that it has helped build.

Patients are the third, and as always, most important, stakeholder. After all, it is their wellbeing that is at stake when it comes to healthcare privacy breaches. Trust serves as the basis of any long-term patient-provider relationship. As technology plays an increasingly important role in delivering healthcare, diagnosing disease, and facilitating patient-provider communication, patients must be able to trust these systems just as they do their doctors. It is in our own best interests for all of us to hold systems accountable and vote with our wallets—if our health systems won’t make the changes necessary to protect our data (and make these technologies and policies transparent to anyone who would like to learn about them), we should consider finding more trustworthy providers.

Digitizing medical records and health data systems has done enormous good in making care more efficient and giving more power to patients in their health decisions. But it has also opened patients to new risks. Millions of patients have had sensitive diagnoses exposed over the years from data breaches, and we are not doing enough to be able to credibly tell them that this won’t continue to happen. If we are to augment (or even maintain) the gains that we’ve made in healthcare’s digital transformation, we must prioritize the trustworthiness of these new technologies, and respect the sacred obligation that we have to defend our patients from harm and indignity.