Guarding healthcare data – 4 dangers of health-related information falling into the wrong hands

Medical data snatchers, brokers, and cyber criminals

Petabytes or more worth of health data is generated, shared and stored daily in the form of electronic medical records in healthcare facilities and personalized health data from personal digital healthcare tools. Many parties are interested in these data which are willing to steal them with the aid of data snatchers, hackers, and cybercriminals, and legally buy health data from data brokers such as IMS Health. Here, I briefly discuss some dangers of health-related information falling into the wrong hands.

	Recommended for you
	IoT security framework for medical devices by CISCO
	How simple tricks can fool AI?
	Live hacking of embedded medical devices

Dangers of stolen medical data

1. Medical Identity Theft

Worse than the traditional identity theft for financial gain, ‘medical identity theft’ affects not only your finances but also your health and life. As per the World Privacy Forum “Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity — such as insurance information — without the person’s knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods…” and “Medical identity theft typically leaves a trail of falsified information in medical records that can plague victims’ medical and financial lives for years.”

It appears that patient health cards are hot commodities on the black market and dark web. According to Ontario, Canada police records, ~300 000 extra or illegal health cards were issued in 2005. In order protect yourself from such medical identity theft, it is recommended that you thoroughly check your medical bills for inconsistencies or errors; be vigilant in sharing your health information online or over the phone; ensure privacy of insurance cards, health card and social insurance numbers; switch to photo-ID-based health cards. The Federal Trades Commission (FTC) recommends immediately reporting any medical identity theft to https://www.identitytheft.gov/ to recover from the theft.

2. Medical identity theft-based fraud

Some reports also suggest that the medical identity theft may go farther beyond health care fraud into getting fraudulent tax returns[3]. In fact, hackers value your medical health records more than credit card information. This is because electronic medical records contain your name, family information, dates of birth, insurance information, financial information, addresses and billing information. “Stolen health credentials can go for $10 each.. about 10 or 20 times the value of a U.S. credit card number….” says the Director of threat intelligence at a major cyber security company- PhishLabs[8]. Moreover, medical data breaches take time to be discovered unlike the cases of credit card theft, giving medical data snatchers much more time to use this information for various fraudulent activities [9].

3. Dangerous clouds

Cloud systems are now used by healthcare providers and patients to store patient health information and share relevant information during coordinated consultations and long-distance treatments. Currently, Google Drive, Amazon AWS, and Microsoft are the largest cloud service providers for health care. Many research and surveys have revealed insecurities and weaknesses of cloud usage, even though many of the cloud service providers advertise high standard cyber security options such as advanced encryptions, continuous monitoring, regulatory compliances and sophisticated authentication methods [10]. Most frequently observed weaknesses of cloud medical data storage are data breaches and data loss. HIPAA standards demand that cloud service providers must comply with the regulation on the privacy and security of electronic protected health information (ePHI), which come under ‘the HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules)’ [11]. As cloud-based medical information storage and sharing are carried out by patients, hospitals, and other parties on a daily basis, they are highly susceptibility to data breaches and loss, mainly due to the negligence of the users. Therefore, it is the responsibility of the healthcare providers as well as the patients to ensure that whichever the cloud service they are using are compliant with HIPAA regulations [12]. Securing patient identity in the cloud based system has been a challenging task. RightPatient and Verato have partnered-up to share their biometric patient identification platform and cloud-based patient matching platform to generate a more secure patient identity system [13].

4. Become victims of cyber crime

The cyber criminals or cyber-attackers may have three different kinds of motives a) financial (incentive to earn money), b) hacktivist or cyber-terrorist (motive is an act of terrorism or attempt to make statements) and c) state-sponsored (cyber-armies of different countries) [14-16]. Cyber criminals who steal healthcare information may have any of these motives. Regardless of the motivation of the cyber crime, such vulnerability may severely affect the patients’ lives. This may occur in many ways. First, the cyber attack may corrupt medical data and records; attackers may manipulate the information, fraud’s health information may get mixed up with the patient’s data, all of which may ultimately be harmful to the patient. The patient’s health or life may be in danger due to incorrect clinical decisions, malfunctioning devices, loss of access to critical health data and compromised patient safety [17]. In the case of medical identity theft, the patient themselves may face legal issues, similar to the victims of other identity thefts.

5. Data from medical devices – the new currency

Medical devices are forefronts among the digital preventive healthcare tools that are being used by the public day-to-day. These devices not only collect daily personal health data but also carry out live surveillance and use algorithms to project possible clinical outcomes [18]. Moreover, these devices or mobile apps collect environmental information such as temperature, the data from which insights could be derived from the management of national electricity requirements. For the same reasons, personal health data collected from these devices may be of high value to many health data snatchers and their dark web partners. These data value so much not only for identity thieves but also many other interested parties including insurance providers, pharmacological companies, and medical device manufacturers who are willing to pay handsomely to gain access. Many medical device manufacturers come up with more and more sophisticated apps and methods to generate more data that can be used as services. The more data gathered by them provide more information regarding the consumer’s habits, behaviors, preferences, and weakness. Hence, the statement that ‘Data is the new currency’ [19] indeed has a deeper meaning. For the same reasons, unfortunately, these data from medical devices are highly vulnerable to cyber attacks. 2015 SANS Institute report indicated 94% of health care organizations had been victimized by cyber criminals which also included medical devices [20].

Image Credit: https://pixabay.com/de/hacker-angriff-maske-internet-1872291/

Other good sources of information

Tanner A. How Data Brokers Make Money Off Your Medical Records: Scientific American; 2016. Available from: https://www.scientificamerican.com/article/how-data-brokers-make-money-off-your-medical-records/.
The_World_Privacy_Forum. Medical Identity Theft: The World Privacy Forum 2006. Available from: https://www.worldprivacyforum.org/category/med-id-theft/page/6/.
Schlesinger J, Day A. Dark Web is fertile ground for stolen medical records: CNBC; 2016. Available from: https://www.cnbc.com/2016/03/10/dark-web-is-fertile-ground-for-stolen-medical-records.html.
Ryzynski A. Medical Identity Theft: The Information Crime That Kills idAlerts Canada Inc; 2013. Available from: http://www.idalerts.ca/blog/2013/4/24/medical-identity-theft-the-information-crime-that-kills.html#.WZckYVGGPIV.
FTC. Consumer Information: Medical Identity Thef: Federal Trades Commission (FTC); 2012. Available from: https://www.consumer.ftc.gov/articles/0171-medical-identity-theft.
www.ontario.ca. Switch to a photo health card 2016. Available from: https://www.ontario.ca/page/switch-photo-health-card.
FTC. Report identity theft and get a recovery plan. Available from: https://www.identitytheft.gov/.
phishlabs. Hackers Want Your Medical Information 2017. Available from: https://www.phishlabs.com/hackers-want-your-medical-information-article-2/.
Humer C, Finkle J. Your medical record is worth more to hackers than your credit card: Reuters; 2014. Available from: http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924.
Siwicki B. Privacy & Security: Who’s responsible for protecting patient data in the cloud? : healthcareITnews; 2017. Available from: http://www.healthcareitnews.com/news/whos-responsible-protecting-patient-data-cloud.
www.hhs.gov. Guidance on HIPAA & Cloud Computing: U.S. Department of Health & Human Services; 2017. Available from: https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html.
Davis J. Are Google Drive and Amazon AWS HIPAA compliant? : healthcareITnews; 2017. Available from: http://www.healthcareitnews.com/news/are-google-drive-and-amazon-aws-hipaa-compliant.
Siwicki B. Verato and RightPatient debut cloud-based patient ID and record-matching technology: healthcareITnews; 2017. Available from: http://www.healthcareitnews.com/news/verato-and-rightpatient-debut-cloud-based-patient-id-and-record-matching-technology.
Kshetri N. Cybercrime and cyber-security issues associated with China: some economic and institutional considerations. Electronic Commerce Research. 2013;13(1):41-69.
Langner R. Stuxnet: Dissecting a cyber warfare weapon. IEEE Security & Privacy. 2011;9(3):49-51.
Hampson N. Hacktivism, anonymous & a new breed of protest in a networked world. Browser Download This Paper. 2011.
Williams PAH, Woodward AJ. Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem. Medical Devices (Auckland, NZ). 2015;8:305-16. doi: 10.2147/MDER.S50048. PubMed PMID: PMC4516335.
Green D. Data is money: stand by for the Gold Rush: 7wData: Insights in The People, Processes, Technology, and Visualisations, Making Data Work for You; 2016. Available from: http://www.7wdata.be/cloud-computing/data-is-money-stand-by-for-the-gold-rush/.
SNS-Technologies. DATA AS A CURRENCY – THE INTERNET OF THINGS & YOU IN 2016 2016. Available from: https://www.sns-it.ca/sns-weblog/home/data-as-a-new-currency-the-internet-of-things-in-2016/.
Filkins B. Health care cyber threat report: Widespread compromises detected, compliance nightmare on the horizon. SANS Institute. 2014.