Daily

Healthcare hackers see increasing profit in stealing patient data

At this point, data breaches at health systems are not a new issue, but news of Community Health System’s breach was striking not just for its sheer size, but because it demonstrates a sophisticated understanding of the value of patient data in the global marketplace. That’s according to John Gomez, CEO of sensato, a HIT software company based in […]

At this point, data breaches at health systems are not a new issue, but news of Community Health System’s breach was striking not just for its sheer size, but because it demonstrates a sophisticated understanding of the value of patient data in the global marketplace.

That’s according to John Gomez, CEO of sensato, a HIT software company based in New York, responding to MedCity News’ inquiry to HIT experts.

Tennessee-based CHS reported that Social Security numbers and other patient information for some 4.5 million patients was stolen by sophisticated Chinese hackers, making it the largest healthcare data breach on record since the federal Health and Human Services began tracking them in 2009.

The previous record was information on 1 million patients stemming from an attack on the Montana Department of Public Health, according to Reuters.

Chinese hackers have targeted a range of industries across the U.S., including healthcare organizations. Healthcare data breaches have often been tied to the loss of data of a thumb drive by an employee or accidental disclosure by way of unencrypted data. But if hackers now have a clear sense of the financial gain from health records, health systems will most certainly want to redouble efforts to keep the data secured.

To that end, criminal attacks on healthcare organizations are increasingly commonplace, according to a March 2014 study by the Ponemon Institute.  

“These types of attacks on sensitive data have increased 100 percent since the study was conducted in 2010 from 20 percent of organizations reporting criminal attacks to 40 percent of organizations in this year’s study,” the report says.

In addition, the average cost of data breaches is on the rise, reaching $3.5 million, or 15 percent more than the cost last year, according to a separate report from Ponemon.

“China in terms of a threat to the technical infrastructure of healthcare is not new overall,” Gomez said. “Healthcare organizations, large and small, are continually probed and tested by threats around the globe, including Russia, Ukraine, the Middle East and obviously China. What makes the attack on CHS stand out is the sheer size and commitment of the attack, as well as their understanding of the value of patient data in the global marketplace.”

Just how much can you get for such a vast cache of patient information?

“Patient data is a commodity and depending on the market and other economic factors, they can net around $50 to $120 per record, possibly more, given the media attention.” Gomez said, noting that even if at the $50 end, for 4.5 million records, that amounts to $225 million. “The big issue is really around does this create an economic incentive for others?”

In the case of CHS, the health system and its forensic expert company, Mandiant, believe the attacker was an “Advanced Persistent Threat” group, who used “highly sophisticated malware and technology to attack” its systems, according to a statement filed with the SEC. The company also said it has already “finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type.”

If a large, well-run system like CHS is vulnerable, the question then is what measures can be taken on top of the basics, such as intrusion detection, vulnerability management and firewalls?

“The challenge is what can hospitals do beyond the basics,” Gomez said. “Things like real-time privacy compliance monitoring, automated business associate management, data categorization and classification are all more advanced techniques, but those may not have prevented this attack.

“The key thing to keep in mind is that hackers are learning that healthcare is a rich industry to attack,” he added. “I suspect we will see many more attacks in the coming months and unfortunately it will cause serious financial impact to patients and the healthcare industry overall.”

And it could very well be a sign of things to come in healthcare, which is a relative newcomer to the woes of cyber-security, particularly for institutions that might be struggling financially.

“Those with tighter budgets are more vulnerable as they don’t have access to the capital and talent needed to secure their systems,” Gomez said. “It isn’t just hospitals, but clinics, doctors’ offices, retail pharmacies and others who are part of the industry who are at risk. A typical hospital has about 400 business partners who they share patient data with – so that is a pretty serious ecosystem and a rather rich and fertile ground for hackers. This is just the beginning.”

Then, of course, there’s the hit to any system’s reputation, whether the company was negligent or not.

“The bigger impact to (CHS) is the loss of faith by their patients to safeguard their data,” Gomez said. “Think about the economic and brand impact to Target – it was rather devastating. Unfortunately or Community Health, they are now the Target cyber-breach of healthcare.”