Cybersecurity continues to be a significant issue on everyone’s radar in 2018, and the situation appears to be worse than anyone imagined.
Researchers from McAfee Labs recorded eight new cyberthreats every second throughout the final quarter of 2017 — twice the rate of the previous quarter. New attacks specifically targeted at the healthcare industry also surged 211 percent.
Do the math, and that’s nearly 500 cyberthreats per minute — many of which can open the door for hackers to commit healthcare fraud with information pilfered from their crimes. Cyber fraud is already a massive problem in healthcare, which makes this surge even more alarming. This issue alone costs U.S. providers up to $100 billion each year. The data clearly show that the number is rising and that it’s unlikely to slow down anytime soon.
Cybercriminals are overcoming their ethical aversions to targeting healthcare and instead are making the industry their primary target — largely because it’s a massive repository of protected health information or personally identifiable information. Regulations enacted in the Health Insurance Portability and Accountability Act are designed to protect this data, but today’s hackers are highly motivated.
PHI can be sold to third parties who use it to steal identities and commit other types of fraud. More consequential is when PHI is used to facilitate larger healthcare schemes. Stolen information could be used to make fake Medicare claims or get false prescriptions for painkillers that have high-dollar street values.
The rapid rise of cyber fraud in healthcare should concern hospitals and providers. Unfortunately, the negative impact also affects patients, communities, economies and the country as a whole.
Why healthcare data is more valuable than most
Stolen PII is subject to the same forces of supply and demand as any other commodity. Now that information on hundreds of millions of Americans has made its way to the dark web, the value of one Social Security number is fairly low: about one dollar.
PII on its own has no real value; it’s simply an asset that criminals use to facilitate various frauds and schemes. Because it takes a lot of work to turn a Social Security number into a windfall, the number itself is worth little. But PHI is the exception.
The average electronic medical record is filled with highly personal (and potentially highly sensitive) information. That includes names, addresses, birth dates and Social Security numbers — along with details about a person’s health, prescriptions and treatment plans. In addition, the records often include specific data regarding insurance coverage and payment plans.
Collectively, that information allows criminals to bypass a number of standard safety features. PHI can be used to set up false identities, guess security questions, bypass anti-fraud protections or evade two-factor authentication. One stolen electronic health record opens up myriad options for fraud.
The full potential of this threat was made clear when a substance-abuse treatment facility in Baltimore had its patient database hacked. In addition to PHI, hackers accessed information about methadone treatments, dosing instructions and dates of admission. This raises the potential for blackmail and other schemes that try to use a patients’ past health records against them.
Right now, more hackers are active than ever, which means they’re competing for a diluted pool of data to monetize. That means PHI is a uniquely valuable asset. Expect the drive for personal profit to outweigh whatever ethical misgivings hackers may have about targeting hospitals and clinics.
Why compliance and risk are out of step
HIPAA regulations are strict. When followed scrupulously, they protect PHI and the providers who store it. The problem is that being compliant with HIPAA is not the same as being serious about cybersecurity.
Adhering to HIPAA mandates means checking off a series of boxes for administrative, technical and physical safeguards. But even when the checklist is completed, numerous ways still exist for PHI to fall into the wrong hands, including an accidental breach caused by human error or even a next-generation threat that falls outside current security measures.
Prioritizing compliance over security inevitably leads to vulnerabilities. The better strategy is to prioritize robust security and meet compliance obligations through implementing broader institutional safeguards. Think of compliance as just one of the byproducts of strong cybersecurity.
This carries the added benefit of protecting against other types of fraud. The Department of Justice and U.S. Department of Health and Human Services last July announced the largest-ever healthcare fraud enforcement action, which involves 412 medical professionals accused of having charged $1.3 billion in false billings. Their purported crimes are complex, but had the targeted healthcare organizations put a greater emphasis on data protection and cybersecurity, the fallout may not have been as egregious.
When hospitals take a holistic approach to cybersecurity, they can protect PHI, meet compliance requirements, and safeguard the reputation of the institution. The measures don’t eliminate the risk of fraud, but they mitigate the worst consequences.
Making cybersecurity a priority
The increasing cyberattacks on healthcare demonstrate that the industry’s current cybersecurity strategies still have room for improvement. Providers can’t keep up with the frequency or volume of future attacks — or recognize sophisticated new types of malware. That can lead to only one conclusion: If hospitals don’t upgrade their cybersecurity practices, they will face more destructive forms of fraud.
The first step is to understand what protections and protocols are currently in place. The second step is to add tools and ensure that the culture makes cybersecurity a priority:
• Address the basics: Simple steps like improving the strength of passwords, implementing two-factor authentication and eliminating common human errors do a lot to upgrade security. Hackers often target low-hanging fruit, and when they encounter an obstacle, they move on to another target. Staying serious about basic cybersecurity best practices can limit overall threat exposure.
• Implement multiple layers of security: There is no single solution for every cyberthreat. Healthcare organizations must rely on multiple layers of security that filter and deflect danger at every level. One of those layers must include good governance, like patching systems and backing up data. The goal is not only to avoid more threats, but also to mitigate the damage if one gets past your defenses.
• Make training a priority: Internal employees can create a lot of risk if they don’t know how to spot potential instances of fraud. Training and educating all staff about identifying red flags and understanding how to respond is a must. Revising and reinvesting in training has to be an ongoing priority, and it’s worth the investment for the protection it produces.
• Focus on key vulnerabilities: The email inbox is full of valuable data, offers access to a hospital’s network, and is ripe for all sorts of schemes and scams. Deflecting threats from inbound messages and encrypting sensitive outbound email are crucial. Deflecting threats from incoming messages and encrypting all outgoing mail is an essential safeguard. Even if an attack targets a different vulnerability, the damage is likely to be limited.
• Think past tech: Cybersecurity isn’t only about protecting networks; it’s also about limiting physical access, performing background checks on new employees and watching out for internal threats.
• Vet the vendors: When hospitals share data or access to a network with vendors or third parties, they can share security standards as well. If the vendor’s standards are not up to par, the risk transfers itself onto the provider. Vetting and selecting vendors on the basis of their verifiable commitments to cybersecurity ensures that partners don’t become liabilities.
Cyber fraud in healthcare is rising. At the same time, tolerance for cyber incidents is falling among consumers and regulators. Just as this problem is growing more frequent, it’s also growing more consequential. Taking a more proactive approach to cybersecurity isn’t an option for hospitals — it’s the only choice.
David Wagner has more than 25 years of experience in the IT security industry. He serves as the president and chief executive officer of Zix, a leader in email security, and previously held leadership roles at Entrust for 20 years. With his IT security and leadership background, David offers a business perspective that enables company leaders to better understand evolving cyberattacks and prepare for future threats.