Guarding healthcare data – 4 dangers of health-related information falling into the wrong hands
Medical data snatchers, brokers, and cyber criminals
Petabytes or more worth of health data is generated, shared and stored daily in the form of electronic medical records in healthcare facilities and personalized health data from personal digital healthcare tools. Many parties are interested in these data which are willing to steal them with the aid of data snatchers, hackers, and cybercriminals, and legally buy health data from data brokers such as IMS Health. Here, I briefly discuss some dangers of health-related information falling into the wrong hands.
|Recommended for you|
|IoT security framework for medical devices by CISCO|
|How simple tricks can fool AI?|
|Live hacking of embedded medical devices|
Dangers of stolen medical data
1. Medical Identity Theft
Worse than the traditional identity theft for financial gain, ‘medical identity theft’ affects not only your finances but also your health and life. As per the World Privacy Forum “Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity — such as insurance information — without the person’s knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods…” and “Medical identity theft typically leaves a trail of falsified information in medical records that can plague victims’ medical and financial lives for years.”
It appears that patient health cards are hot commodities on the black market and dark web. According to Ontario, Canada police records, ~300 000 extra or illegal health cards were issued in 2005. In order protect yourself from such medical identity theft, it is recommended that you thoroughly check your medical bills for inconsistencies or errors; be vigilant in sharing your health information online or over the phone; ensure privacy of insurance cards, health card and social insurance numbers; switch to photo-ID-based health cards. The Federal Trades Commission (FTC) recommends immediately reporting any medical identity theft to https://www.identitytheft.gov/ to recover from the theft.
2. Medical identity theft-based fraud
Some reports also suggest that the medical identity theft may go farther beyond health care fraud into getting fraudulent tax returns. In fact, hackers value your medical health records more than credit card information. This is because electronic medical records contain your name, family information, dates of birth, insurance information, financial information, addresses and billing information. “Stolen health credentials can go for $10 each.. about 10 or 20 times the value of a U.S. credit card number….” says the Director of threat intelligence at a major cyber security company- PhishLabs. Moreover, medical data breaches take time to be discovered unlike the cases of credit card theft, giving medical data snatchers much more time to use this information for various fraudulent activities .
3. Dangerous clouds
Cloud systems are now used by healthcare providers and patients to store patient health information and share relevant information during coordinated consultations and long-distance treatments. Currently, Google Drive, Amazon AWS, and Microsoft are the largest cloud service providers for health care. Many research and surveys have revealed insecurities and weaknesses of cloud usage, even though many of the cloud service providers advertise high standard cyber security options such as advanced encryptions, continuous monitoring, regulatory compliances and sophisticated authentication methods . Most frequently observed weaknesses of cloud medical data storage are data breaches and data loss. HIPAA standards demand that cloud service providers must comply with the regulation on the privacy and security of electronic protected health information (ePHI), which come under ‘the HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules)’ . As cloud-based medical information storage and sharing are carried out by patients, hospitals, and other parties on a daily basis, they are highly susceptibility to data breaches and loss, mainly due to the negligence of the users. Therefore, it is the responsibility of the healthcare providers as well as the patients to ensure that whichever the cloud service they are using are compliant with HIPAA regulations . Securing patient identity in the cloud based system has been a challenging task. RightPatient and Verato have partnered-up to share their biometric patient identification platform and cloud-based patient matching platform to generate a more secure patient identity system .
4. Become victims of cyber crime
The cyber criminals or cyber-attackers may have three different kinds of motives a) financial (incentive to earn money), b) hacktivist or cyber-terrorist (motive is an act of terrorism or attempt to make statements) and c) state-sponsored (cyber-armies of different countries) [14-16]. Cyber criminals who steal healthcare information may have any of these motives. Regardless of the motivation of the cyber crime, such vulnerability may severely affect the patients’ lives. This may occur in many ways. First, the cyber attack may corrupt medical data and records; attackers may manipulate the information, fraud’s health information may get mixed up with the patient’s data, all of which may ultimately be harmful to the patient. The patient’s health or life may be in danger due to incorrect clinical decisions, malfunctioning devices, loss of access to critical health data and compromised patient safety . In the case of medical identity theft, the patient themselves may face legal issues, similar to the victims of other identity thefts.
5. Data from medical devices – the new currency
Medical devices are forefronts among the digital preventive healthcare tools that are being used by the public day-to-day. These devices not only collect daily personal health data but also carry out live surveillance and use algorithms to project possible clinical outcomes . Moreover, these devices or mobile apps collect environmental information such as temperature, the data from which insights could be derived from the management of national electricity requirements. For the same reasons, personal health data collected from these devices may be of high value to many health data snatchers and their dark web partners. These data value so much not only for identity thieves but also many other interested parties including insurance providers, pharmacological companies, and medical device manufacturers who are willing to pay handsomely to gain access. Many medical device manufacturers come up with more and more sophisticated apps and methods to generate more data that can be used as services. The more data gathered by them provide more information regarding the consumer’s habits, behaviors, preferences, and weakness. Hence, the statement that ‘Data is the new currency’  indeed has a deeper meaning. For the same reasons, unfortunately, these data from medical devices are highly vulnerable to cyber attacks. 2015 SANS Institute report indicated 94% of health care organizations had been victimized by cyber criminals which also included medical devices .