According to Health IT Security, the 10 largest breaches in 2019 (thus far) have seen more than 200,000 records breached at a time, leaving many experts to speculate that 2019 may be the worst year we’ve ever encountered for healthcare-related breaches. Drummond understands that the protection of electronic health records (EHRs) is of paramount concern to health IT developers, and ONC certification sets forth only minimal privacy and security requirements. ,
To help our customers defend against the most prevalent threats facing the healthcare industry, Drummond and our strategic partner, Lares®, are excited to introduce an educational blog series for those responsible for the protection of EHRs, including systems administrators, application developers, and executive leadership.
This multi-part series will explore several EHR areas of concern for health IT developers from the trusted cybersecurity experts at Lares. Series topics will include
- digital theft of EHR and dark web profiteering,
- ransomware impact,
- application development and systems interoperability,
- mobile application security,
- Internet of Things (IoT) security, and
- the updating of organizational cybersecurity programs to better prepare for the aforementioned threats.
We will kick off the series with an overview of digital theft of EHR and how thieves profit from such theft. You’ve undoubtedly heard of the “dark web” but do you know how it differs from the “deep web” and “surface web”?
The Wide World of Webs
The surface web consists of all web-based content (e.g. amazon.com, microsoft.com, lares.com) that can be found via search engines such as Google and Bing. These websites are indexed (i.e. cataloged and recorded) by the various search engines so that humans can easily find them using associated keywords and phrases. Those pages that are not indexed by search engines are considered the deep web and, for all intents and purposes, can be considered hidden. Also, special anonymization software (such as Tor) must usually be utilized to connect to the network where the websites are published. The deep web exists to provide the sharing of information between parties that wish to remain anonymous – think the organizing of political dissent versus criminal activity. A subset of the deep web is the dark web. The primary purpose of the dark web is for the hosting of websites linked to criminal activity and illegal market places. The dark web is often used to facilitate the sale and purchase of stolen information, such as EHR data, via forum websites. These purchases are usually transacted using digital cryptocurrencies such as Litecoin, Dash, and Bitcoin.
What’s it Worth?
How much is this information worth, you might ask? Well, even in the underground economy, the principles of microeconomics apply and the laws of supply and demand continue to dictate the price for EHRs. Since EHRs are designed to share a patient’s medical history with authorized providers and staff, there is a considerable amount of information of value to would-be attackers. According to Experian, full medical records can command up to $1,000 because they’re an identity thief’s dream: date of birth, place of birth, credit card details, Social Security number, address, and emails. A 2017 Trend Micro report provides a July 2016 screenshot of a seller offering comprehensive medical profiles obtained from a hacked EHR database on the now-defunct dark web market AlphaBay.
The EHR profiles contained patient name, Social Security number, address, date of last visit, date of next appointment, follow-up treatment dates, date of birth, and health insurance ID numbers. Prices per patient information item started as low as $5 per record.
Though identify theft can be profitable, it pales in comparison to the potential financial gains facilitated by traditional extortion. Imagine a scenario in which a patient of your organization is diagnosed with a potentially embarrassing and career-ending medical problem that the individual would prefer not to disclose to the public, as is their right. A criminal could purchase an EHR database stolen from your organization and use the private information to extort money, favors, or otherwise influence the individual in exchange for not releasing the information to the public. A criminal with this data in hand could use sensitive information about health conditions and diseases to extort a victim for years.
Limiting Exposure and Impact
There are several things that your organization can do to limit exposure to EHR data theft:
- Identify and catalog the systems and data assets within your organization so that you are always aware of, and are able to point to, where EHR data resides.
- Audit who is authorized to access to your EHR data and code repositories and continuously monitor who does have access – and who makes changes.
- Ensure that EHR environments, including but not limited to, servers, databases, and desktop, mobile, and web applications are continuously monitored for vulnerabilities and are patched regularly.
- Perform regular penetration testing of EHR systems, applications, and provider workstations to help ensure unknown vulnerabilities cannot be exploited by an attacker.
- Consider leveraging a reputable “dark web monitoring” service to provide advanced warning that data related to your organization has been found for sale on illicit marketplaces.
- Draft, or revise existing, policies surrounding the appropriate use of EHR data within the organization, when integrated with third-party cloud-hosted platforms, and when shared with third-parties.
- Conduct social engineering testing of employees responsible for handling EHR data to ensure that they are kept abreast of current techniques to exploit their trust and access.
To limit impact or fallout in the event of a breach, your organization should:
- Establish a formal incident response policy with associated documented procedures to address system-specific EHR breach mitigation and investigation steps.
- Conduct annual incident response tabletop exercises to train personnel on their duties in the event of an EHR breach and update the plan as new technology is implemented.
- Establish contacts with local, state, and especially federal law enforcement to maintain an open channel of communication regarding the sharing of current targeted threat activity.
- Investigate the clauses within your current (or prospective) cybersecurity insurance policy to ensure data exposure of this nature is covered.
- Designate a Chief Information Security Officer (CISO), Virtual CISO (vCISO), or another executive-level individual as the person responsible for managing the security program within the organization.
We hope you enjoyed the first post in this series. If you find that, after reading this blog post you need help implementing some or all of the recommendations, we’d be happy to help. Lares® has extensive experience assessing and advising on the cybersecurity challenges faced by healthcare providers and organizations. Contact us today to learn how we can help you quickly answer the above questions.
Please let us know if you have any questions about this blog post and look for the next post in the series in the coming weeks.