By Ron Frechette
There have been a growing number of data breaches targeting small-midsize healthcare practices in 2017 and we are seeing the trend continue more towards ransomware attacks. Why would cyber criminals prefer to target small-midsize practices rather than going after larger hospital systems to steal patient data or what the OCR calls... electronic protected health information (ePHI)?
The answer is simple. Large healthcare systems are starting to implement robust security programs which make it harder for cyber criminals to gain access.
Small-midsize practices are much easier targets to penetrate due to lack of cybersecurity expertise and insufficient budgets. The result is having weak security controls in place to properly protect your patient's most private and confidential data.
The recent increase in stolen PHI has created an overabundance of records for sale on the Dark Web, which has led to a pricing downfall. The average cost has gone from around $50 per record to as low as $10 per record. Yes, supply and demand works the same in the criminal world.
Being that cyber criminals must accept less for stolen PHI and inventories are moving slower, they are resorting to ransomware attacks to increase short term cashflow. Ransomware is a type of malicious software that encrypts a victim's files and requires them to pay up in Bitcoin (hard to trace digital currency) before they can regain access to their data.
Why are cyber criminals so interested in protected health information (PHI)?
Things we should know about PHI:
Why PHI is Valuable to Cyber Criminals:
• Average stolen PHI sells for $10 to $50 per record on the Dark Web
• Child Patient records sell for $500 to $1,200 per record depending on detail
• PHI can be used in various ways compared to credit card data or PII
• Longer Shelf Life - often unable to detect PHI theft until several claims are processed
Most Common Scams:
• Illegal and Bogus Treatment - bill health plans for fake or inflated treatment claims
• Buy Addictive Drugs - Obtain prescription drugs to resell or feed own addictions
• Obtaining Free Treatment - Uninsured that require hi-cost healthcare treatments
• Resell to other cybercriminal groups - various purposes (i.e. identity theft, fraud)
Consequences to Victims:
• Ruined Credit - unable to pay large hospital bills
• Loss of Health Coverage - fraudulent claims max out health policy limits
• Inaccurate Records - False claims can follow a person through life
• Higher Health Premiums - false claims can raise premiums
Consequences to Healthcare Providers:
• Criminal and Civil Lawsuits
• Fines & Penalties for non-compliance
• Government Mandated Corrective Action Plans
• Defamation, Brand Damage, Loss of Human Capital
As custodians of PHI, healthcare providers are expected to uphold their professional and moral obligations to protect patient medical records from getting into the wrong hands. The challenge many physician offices face in the Digital Age is how fast digital devices have taken over the world and learning how to avoid reckless risks related to cyber and information security issues. We see it not only in healthcare, but in every industry, and it has totally transformed the way in which we all conduct business. As a result, healthcare records are stored on one or more Electronic Health Records (EHR) systems and cyber criminals are easily gaining access into the systems due to having insufficient security controls in place. The larger healthcare companies seem to be making strides towards increasing cybersecurity and awareness. The small-midsize practices still have a way to go.
Questions we should be asking our staff or EHR vendors:
1. How are we protecting our patient medical records within our practice now?
2. Do we have formal written cybersecurity policies and procedures in place?
3. Do we perform annual HIPAA security risk assessments? (required by federal law under the HIPAA Security Rule)
4. Do we have a disaster recovery and back-up plan in place in case of a data breach?
5. Do we know for certain our EHR System is secure and HIPAA Compliant?
6. Do we have cyber insurance?
7. Who can we call to help us start the process?
In closing, we expect as more breaches are reported in the media, awareness will increase and the security posture for small-midsize healthcare practices will follow. Until that time, we welcome you to share your input and feedback.
Ron Frechette Co-Founder & Managing Partner @GoldSky Security Ron is a cybersecurity and healthcare entrepreneur who over the last several years dedicated his career to helping enterprise companies reduce the risks of cyber-attacks. Ron left the enterprise security world in 2015 and co-founded GoldSky Security, LLC. Ron's vision is to build cybersecurity firms across the US that exist to help small-midsize businesses implement affordable cybersecurity solutions. Ron can be reached at (321) 296-3527 or email@example.com