Healthcare data and data breaches: A second opinion:
- 12 February, 2015 13:59
We've barely begun 2015, yet some security predictions made at the end of last year are already being tested. One of those was a prediction by RSA that criminals will turn their attention to stealing personal health information, and the recent attack on US health insurer Anthem is just one symptom that it might be happening sooner than our initial diagnosis.
It's evident that healthcare records matter, but why? Why would a criminal be interested if you went to your local GP three times this year? What is being done to secure records? Where does Australia fit compared to other parts of the world?
Is there really an unhealthy obsession?
According to the Identity Theft Research Center 2013 report, the healthcare sector accounts for more than 44 percent of reported major data breaches -- higher than the business sector, which accounts for about 32 percent.
The increase is in part because there is regulation around healthcare incidents in the US, but there are also more reasons for criminals to steal healthcare information than the traditional credit card information that we're used to seeing, including how much they are worth.
What is healthcare data worth?
RSA has seen stolen health credentials being sold for US$10 each and includes names, birth dates, policy numbers, diagnosis codes and billing information. Although this can represent about 10 or 20 times the value of a typical US credit cards, the difference can fluctuate as batches of credit card numbers varies according to supply and demand.
For example, Asian credit cards are typically harder to obtain, increasing their value on underground markets. However, in the event of large retail breaches, the overall price of credit cards can drop significantly as the market is flooded with enough cards to meet demand.
RSA has seen credit cards sold in batches of 1000 for as little as US$50 and ranging occasionally into the low hundreds.
How does healthcare data differ from credit card information?
While credit cards are the primary form of purchasing, healthcare data is instead used for identity theft. As banks become more efficient at responding to fraud and cancelling cards, stolen credit card "freshness" becomes an important factor for thieves.
Customers can easily change or cancel their cards at the first sign of fraud, but their health data is unique to them and cannot be changed. This makes it much more valuable to criminals, but also more important for individuals to protect.
What do criminals do with the data?
Using the healthcare data, criminals can create fake IDs to buy medical equipment or drugs they would not normally have access to. However, they can also combine a patient number with a false provider number and file made-up claims with insurers. As the claims procedure often has valid payment information already in place, or agreements are drawn up as part of employee benefits to expedite the process, criminals don't need to provide these details.
Alternatively, in a reimbursement scheme, criminals can modify payment details after stealing the individual's identity.
In a recent case, one patient in USA learned that his records were compromised only after he started receiving bills related to a heart procedure. His credentials were also used to illegally purchase a mobility scooter and several pieces of medical equipment, amounting in tens of thousands of dollars in total fraud.
What is being done to protect healthcare records?
Australia is still behind on data breach notification legislation when compared to the US. In the business sector, the stand-out example begins in California with the state's Senate Bill 24 on Data Security Breach Reporting requiring businesses or state agencies to report when Californian residents' information is involved in a security breach.
In addition, with cybersecurity issues coming to the fore recently amid nation spying accusations, the US is actively debating national legislation on top of the existing state-based provisions for data breach notification. Already, more than three quarters of professional IT body ISACA members surveyed are in favour of national legislation.
In Australia, the debate has a long history, with breach notification recommendations made as part of the Australian Law Reform Commission's review of the Privacy Act. The review began almost a decade ago, with formal recommendations made after a 28-month process, but the recommendations only began to see movement through Parliament in 2012. A 2013 report by the Office of the Australian Information Commissioner (OAIC) found in passing that "for government agencies, nearly all Australians (96%) believe that they should tell them how their personal information is stored and protected, and that they should be informed if their personal information is lost (96%). The results for private businesses are similar (95% and 96% respectively)."
Despite this, data breach notification remains a recommended action in Australia for the private sector, meaning that private health insurers are under no onus to report a breach where health records are involved. They may be found to be in breach of the Privacy Act by failing to take "reasonable steps" to protect such information, but under existing legislation cannot be penalised for remaining silent on the breach.
Mandatory data breach legislation does exist, however, for Australia's national eHealth records system formerly known as the Personally Controlled Electronic Health Record (PCEHR) system. The PCEHR Act governs over the national records system, and requires that those responsible for operating the system must inform the Australian Information Commissioner if there has been a breach.
In its 2013/14 financial year report, the OAIC revealed that it had received two mandatory breach notifications from the nation's PCEHR operator. The cause of both breaches were quickly resolved to the OAIC's satisfaction.
Are we protected?
It is encouraging to see mandatory notifications for the nation's eHealth records system forcing more focus on the protection of healthcare information. But private healthcare providers that are as yet exempt from such laws should recognise that as slow as legislation may be to reach them, the criminal threat is already here.
These organisations are, in general, poorly prepared to deal with any form of modern cyber attack. In Australia there is still a focus on adding more preventative controls and technology with the false belief that they can be set and forgotten and raise an alert when anything bad happens.
This is akin to the medieval castle adding more bricks to the perimeter wall. Attackers will come back with a bigger ladder, or a different mechanism to get over the wall. Forward-leaning security organisations have changed the way they approach cybersecurity. They have come to accept that it is likely they will get hacked -- that the attacker will eventually get over the wall.
To address this, they are instead focusing on detection and response to ensure that once someone gets over the wall, they can be quickly detected and dealt with before they are able to do any damage.
Of course, there are healthcare organisations that are leading the way in protecting their customer's data, including healthcare data, and these organisations are typically developing their security around the triad of visibility, analysis and action.
Visibility into all aspects of their environment including security logs, full network packet capture, net flow data and behavioural data from endpoints. Analysis to detect anomalies -- rather than looking for the needle in a haystack, or even the needle in a stack of needles, they can remove the hay until only the needle is left. And appropriate action to eliminate the threat.
In order to achieve this there organisations need to rebalance their priorities in prevention, detection and response to ensure that rather than just adding more technology (or bricks), the business ensures its people have the right skill sets, experience and defined processes to work through incidents as they are raised.