By Dexter Caffey, Founder and CEO, Smart Eye Technology
The healthcare industry is currently one of the most lucrative targets for hackers. A recent report by a mobile security company shows that many digital health platforms have vulnerabilities that allow criminals to access medical health records, personal information, and even credit card and billing information. Cyber-thieves then use all this data at their disposal to commit financial/insurance fraud and identity theft.
Healthcare organizations are usually subject to stringent compliance regulations since they store great amounts of sensitive data. However, sensitive information can become prone to hacking when stored using cloud technologies. A 2018 report shows that up to 84% of healthcare organizations store data in the cloud, indicative of medical facilities being at risk and vulnerable to attacks through that avenue.
Though some medical facilities choose to store data on more secure private networks, there are reports which illustrate that these networks can also be breached. Hackers can obtain employee logins by sending employees malicious software disguised as emails. When employees key in their login information, criminals can then receive copies, and use this information to steal more data, even from secure networks.
Why Healthcare Records Are Valuable
The reason this is such a lucrative industry? Cyber criminals can opt to sell stolen medical records for hefty prices.
This has led to a demand for medical information on the dark web. Provider data is sold for up to $500 per listing, which is then used for fake insurance claims and prescriptions. Health insurance logins, sold at an average of $3.25, may be used to obtain medical services allocated for other patients.
The website PrivacyAffairs.com launched a project called the Dark Web Price Index that provides hundreds of examples of data being sold and reported the prices. Aside from medical information and health insurance records, other data being sold include online banking logins sold at an average of $40, full credit card details ranging from $14-$30, and copies of ID cards.
Hackers can obtain copies of passports when they are part of a health organization’s data system. A forged U.S. passport can be sold for $4,000 while other types of government IDs are sold from $400-$500. These are used to help criminals pretend to be US citizens or to be of other nationalities, further enabling identity thieves.
How Medical Records Are Hacked
Another common form of cyber-attack is through using ransomware, a type of malware that makes data inaccessible to the owner. A ransomware attack begins by targeting an employee through phishing, which is malware usually disguised as an email to steal employee logins.
These logins are then used to breach a secure data network so that all records can be encrypted by the ransomware, making them inaccessible. Hackers then ask for compensation (or a “ransom” in this case) in exchange for data they’ve taken. If the medical facility refuses to pay, the information is then sold on the dark web.
The best way to deal with the situation is not to negotiate but instead call the police.
Protecting Health Records from Attacks
In most cases, users don’t know that their computer or network has been infected by ransomware until they find that they can no longer access their data. There is little that can be done once this happens.
To avoid reaching this point, healthcare organizations should invest in data protection and safeguard their networks from possible attacks.
To start, the FBI provides guidelines for organizations to protect themselves from ransomware attacks. Since most attacks start by phishing information from users, the FBI warns all healthcare employees to be careful about applications they download or links that they click on while working. The FBI also reminds organizations to keep all operating systems, software, and applications up-to-date. All computers should also have anti-virus and anti-malware solutions set to automatically update and run regular scans.
Data should be regularly backed up, and checkpoints should be established to ensure that backups are completed. Backed-up data should then be further secured, stored independently, and should be kept out of access from other computers or networks.
A continuity plan should also be in place in case an organization becomes the victim of a ransomware attack, to ensure that a medical facility can continue providing key healthcare functions if health records happen to become inaccessible.
Moving Forward with Tech in Healthcare
The digitalization of medical information has introduced technologies that enable medical facilities to store and update patient records in real-time, a big leap from the slow process of manual filing. However, these new technologies also give rise to new vulnerabilities.
Healthcare organizations and medical facilities need to adopt not just the latest record-keeping tools but also the best security systems to protect their data, making their digitization holistic.
Cybercriminals are constantly on the lookout for their next victims. Medical facilities should remain vigilant to ensure that they can provide the best protection possible for their patients.
About the Author
Dexter Caffey, Founder and CEO of Smart Eye Technology.
Dexter Caffey founded Smart Eye Technology in January 2018.
Prior to his tech startup, Mr. Caffey founded an alternative investment firm, Caffey Investment Group, in 1998 at the age of 25.
While on a business trip to Israel in the fall of 2017, Mr. Caffey attended a cybersecurity conference. As he chatted with another conference attendee who was a cybersecurity expert, he happened to glance at the man’s laptop screen and saw open word documents and PDF files. “Why should I be able to see any document on this guy’s laptop?”
He asked himself “what if I could create an app that prevented anyone else from seeing what’s on my screen? An app that would look at their face and say, ‘Nope, I only recognize Dexter’s face. We’re blocking you out.’” The idea and pursuit of a new type of technology to help protect the privacy of confidential information was born.