Part 2 of a 2-Part Series on Healthcare in the U.S.
In the first part of this series, I introduced the growing problem of fraud in the United States healthcare system. From Medicaid scams to fraudulent prescriptions, often involving everyone from patient to physician and on up to businesses and organizations, healthcare fraud has metastasized into a national crisis. Criminals have now set their sights on the current shift to electronic records mandated by acts like HIPAA and Obamacare, seeing a vulnerable system they can exploit and sell stolen information on the black market. In part two, we take a closer look at cyber-criminals, their tactics, what attracts them to the healthcare industry and what’s being done to stop it.
Healthcare fraud in the United States has taken to the cybernetic underworld. According to current FBI estimates, data breaches cost healthcare organizations nearly $6 billion per year, with 90 percent of those surveyed suffering at least one breach over the past two years.
And it’s not going to stop any time soon. The FBI also recently reported that healthcare-related cybercrime is expected to increase amid the ongoing shift to electronic to electronic health records (EHRs) and patient provider portals, despite the development and implementation of technological solutions to protect personal identity theft via data breaches.
Regulations like the HIPPA and the Health Information Technology for Economic and Clinical Health Act (HITECH) have helped to safeguard the integrity and privacy of patient records and sensitive medical data, yet there are always gaps in the adoption process – gaps that cybercriminals can exploit to cash in on personal data gathered from breaching patient records. According to Rick Kam, CIPP/US, president and co-founder of ID Experts, cyber-attacks – and the threats and risks that come with it – are shifting, and “organizations are in a constant state of catch up.”
Cybercriminals are organized, intelligent, and bold. As they grow even more audacious in their acts, federal agencies and healthcare organizations continue to expand their technology and intelligence assessments through the use of sophisticated data-mining techniques to identify patterns of fraud, systemic weaknesses and aberrant billing activity.
Yet, security firms report that the healthcare industry is still not technologically prepared to protect itself against even the most basic criminal cyber-threats, and is greatly unprepared for sophisticated cyber-attacks from advanced persistent threats, such as nation states or well-funded organized cybercrime groups. Recent reports by Javelin Strategy and Research have found that the correlation between receiving a data breach notification and being a victim of fraud is one in four, which is up from one in nine reported in 2010.
Since then, attacks have doubled, and while cybercrime in the healthcare industry is still relatively nascent, so too is the online efficacy of healthcare information exchange. To put it in perspective, over the past two years 63 percent of healthcare organizations reported data breaches, with average losses estimated at $2.4 million per each breach. Nearly half of the organizations surveyed had failed to implement security measures to protect patient records.
Cybercriminals seek out Personally Identifiable Information
Over the last decade the threat to organizations and personal information has continued to progress. According to a white paper published by EMC, “The once popular hacker stereotype of a lone, alienated techno-nard breaking into an organization’s systems for fun has given way to a truly frightening reality of coordinated groups of innovative cybercriminals who collaborate, facilitate and strike aggressively. They rely on a range of advanced cyber-attack methods and social-engineering techniques to steal sensitive data and then cash out in the real world, or in the same underground market where demand is well-publicized and fraudsters are well compensated.”
The pay-dirt for these cybercriminals is personally identifiable information, or PII. EHRs and healthcare portals contain massive amounts of this information, including dates of birth, Social Security numbers, and sensitive information about medical diagnoses and other treatments that violate a patient’s privacy. And if those patients pay their medical bills online, or use other hosted account management services, their financial data is also at risk to be stolen.
Furthermore, healthcare fraud takes twice as long to detect as regular identity theft. Victims can close a bank account, but they can’t change their personal information or medical records, which is why PII is much more valuable on the black market than a credit card or bank account number.
For example, the street value for a credit card or Social Security number is around $1 USD, but when PII is added, the cost skyrockets to approximately $500 USD, with healthcare credentials adding an addition $20 each. According to the World Privacy Forum, the average payout for medical identity theft is $20,000, compared to $2,000 for regular identity theft.
Healthcare credentials are of particular value in the struggling U.S. economy as dramatically increasing costs for private healthcare insurance are driving some to seek out free or discounted medical care with these credentials.
The threat to consumers and healthcare organizations
Cyber-fraudsters employ various tools and methods, including phishing, Trojans and other malware infections, that target internal systems, as well as connections to the systems from outside healthcare organizations. Once they successfully breach the system, there are many ways to profit from the stolen data. Those who have no means or knowledge to use the information for their own illegal purposes, can sell it to the highest bidder who can then use it for a number of illicit acts, including:
- File false patient claims to insurers and government agencies
- Use EHRs data to bill for services never rendered
- Steal pharmaceutical data to order prescriptions and resell the drugs online
- Use personal account information to buy prescriptions and have it delivered to the wrong address for resale
- Write fake prescriptions with physician information in schemes that invovle the purchase and resale of prescription drugs
Exposed or breached medical data puts the consumer at risk in other ways too. Including being wrongly accused of abusing medical services due to false claims associated with their stolen information, and even the possibility of blackmail or extortion by criminals who threaten to expose sensitive medical or health details.
The risks and issues that need to be addressed by organizations and agencies as healthcare information continues to transition online all revolve around security. From secure enrollment for first time users of a portal, to secure access to prevent PII, as well as secure systems for online payment and third party access to sensitive data, the adoption of software and protocol is just the beginning, employees and officials must also be educated on the risks and complexity of cyber-attacks.
What’s being done at the federal level?
The Department of Health and Human Services recently conducted a cyber-attack exercise involving multiple healthcare providers and related companies. The exercise revealed a significant gap in companies and agencies accessing cyber threat information, as well as difficulty in communications regarding the effects of such attacks on their networks.
Jim Koenig, a cyber security expert with Booz Allen Hamilton who took part in CyberRX said, “the growing adoption of new and connected health information technologies and widespread use of mobile devices continues to increase the industry’s exposure to potential attacks.”
As it stands, the current U.S. national cybersecurity framework for critical infrastructure is not sufficient to support healthcare organizations against current cyber threats. Until the risk posed by the Affordable Care Act to millions of patients and their information is mitigated, and while negligent employees and unsecured devices in the workplace remain a significant security threat, the challenge will be to work across multiple stakeholders, including patients, providers, payers and the pharmaceutical industry to raise awareness, collaborate and implement preventative measures.
Cybercrime in the U.S. healthcare industry has the potential to become a devastating industry, economic and societal problem. The solution needs to start with healthcare organizations in conjunction with regulatory agencies and third-party businesses. Together they must be as as aggressive in adopting and implementing security measures as the cybercriminals who are trying to get there first.