Medical identity theft has been escalating dramatically where cybercriminals have found an industry ill-prepared to adequately protect itself from the onslaught. This article will briefly discuss the various aspects of cybercrime waged against the medical industry, the reasons for it and methods for its prevention.

The medical industry as a whole have been laggards addressing security by failing to sufficiently protect sensitive information stored on lost or stolen laptops, smartphones and flash drives. Personal Health Information (PHI) records have been compromised where hackers have now begun threatening hospital operations of hospitals and other health care facilities. A recent example is the ransomware attack against Hollywood Presbyterian Medical Center in Los Angeles, CA.

Another notable example is Advocate Medical Group in Chicago where 4 million people were directly affected. Advocate Medical Group did not notify affected patients until more than a month after the theft while stating the laptops were password protected. The lost data included social security numbers, which places the patients at higher risk of identity theft. The total number of affected individuals is eclipsed only by a 2011 incident in which 4.9 million medical records were compromised when backup tapes were reportedly stolen from an employee’s car. A subsequent class action lawsuit for the 2011 event seeks $4.9 billion compensation, $1,000 per affected person.

Healthcare providers are not the only victims, in addition to them were the massive breaches involving the healthcare insurance providers of Anthem and Premera Blue Cross where 80 million and 11 million individuals were affected respectively.

The Reasons

Cybercriminals commonly chase basic identify information such as names, birth dates and health insurance contract and group numbers they can sell for just $20 on the black market, according to researchers at Aberdeen Group. However the lucrative identify theft kits fetches $1,500 and far more when medical data is included that can be used to obtain prescription drugs illegally and commit insurance fraud. Many of these high end all inclusive kits contain PHI in addition to the social security numbers, banking credentials, credit card information and PINs. This information is used to include professionally forged and custom-made physical credentials such as insurance membership cards, social security cards, driver’s licenses, passports and credit cards. Health data is a tempting target for thieves for a number of reasons and has become more valuable than financial information.

Unlike the medical industry, financial institutions protect their customers from liability, they also re-issue new credit cards and monitor financial inconsistencies as red flags of fraud. Medical data on the other hand has lasting value since it is very difficult for an individual victim to do anything about resolving it or offered legal protection. Healthcare information is nonrecoverable and potentially has lethal consequences in the wrong hands.

For example, victims of medical identity theft can wind up with the thief’s health data folded into their own medical charts. A patient’s record may show a person having diabetes when they don’t or list a blood type that isn’t theirs that can lead to dangerous diagnoses or treatments. Adding insult to injury, a victim often can’t fully examine his own records because the thief’s health data, now folded into his, are protected by medical-privacy laws such as HIPAA. More than that hospitals continue to pursue victims for payments they didn’t incur and not offered legal protection in the event of fraud.

Cybercriminals traditionally have gone after financial information from medical breaches, they typically don’t care about your medical data such as cholesterol levels, surgeries, blood laboratory results, etc. That has changed in a big way and cybercriminals have found yet another lucrative market extracting the personal health information (PHI). This is in addition to simply using a credit card or Social Security number from a medical file to commit basic financial fraud, they parse the information out to different buyers.

For instance, if a patient has cancer or another serious health issue the medical data in the record could be sold to data brokers who sell information to marketers, such as pharmacy companies and hospitals that want to target cancer patients. The uses for medical data become even more sophisticated where the PII could be used for visas and passports, the PHI provide the physical characteristics of a person with access to high-security systems could help criminals breach them, biometrics is one example among others. Currently over half of the identity thefts involve family member situations where an uninsured person uses a friend or relative’s insurance identification card to obtain healthcare services.

Protection

While the financial industry have implemented security infrastructures to combat cybercriminals, the healthcare industry are laggards. Establishing a sound security program is of critical importance with the threat of cyberattacks and breaches occurring on a daily basis. Medical provider executives, in particular the CIOs and chief information security officers (CISO), should be given the right levels of authority and be positioned so they can have the greatest impact when it comes to security matters at a hospital or healthcare system. It must be understood the C-suite execs must do more than just meet compliance standards, but need to implement a security on top of compliance approach. The following should be implemented:

The CISO

The right individual for the position needs to be identified and brought on board then a line of communication must be established at each level of the organization. Moreover, the CISO must be given all the authority, autonomy and resources that they need to be successful.

Governance and The Chain of Command

Establishment of a security governance council with key executive leaders along with the CISO is imperative. This council will oversee the needs linking security and compliance to executive leadership.

CISO and CIO Leadership

One of the toughest tasks in any medical care environment is protecting patient data while ensuring clinicians access to that data in performing their job. The CISO and CIO must partner like never before, both must ensure ownership and accountability on technology risk, proactively break down barriers between compliance and security staff while being well prepared for any cyberattacks or breaches.

Conclusion

Medical identity theft is a very serious issue where victims are seldom afforded legal protection to deter financial or worse, physical harm with a potential misdiagnosis. Cybercriminals have found an identity treasure bonanza where not only can they exfiltrate PII but get PHI data all in one shot which has devastating consequences. It is also an important realization that our consumer protection laws are inadequate to protect victims of this fraud and the medical and insurance industries must do more to protect the patients they serve.

Photo: Flickr user Nick Carter