The days of stealing personal information for credit cards no longer holds the greatest appeal for hackers of medical facilities. "Credit card companies stand behind their clients," says Russ Dorsey, manager of information services at Kassouf & Co. Purchases are rapidly questioned, cards are voided, and card holders rarely get dinged.
Hackers now find value in piecing together data on people from a multitude of sources -- social media, credit card activity, patient records -- to build a fairly accurate and often invasive picture of that person.
The newest market for these stolen insights has become countries, such as Taiwan and China. "These nations are looking for leverage through patient records," Dorsey says. "I know this sounds farfetched, but it is happening.
"These governments are looking for information on industry secrets and processes. So how do they steal that material? They find someone with a sick family member or credit problems, knowing that they may be able to compromise that person with cash. That's why patient information is so important."
On the black market, stolen credit cards sell for $10, but protected health information (PHI) goes for $1,500 per record, Dorsey says. "This is why hackers are willing to go to so much trouble for PHIs.
"Years ago, when they were writing these HIPAA laws, we wondered why all this was so important, and now it's coming to fruition. We're understanding how much detail is in our healthcare records. It's almost a matter of national interest now."
Stolen patient records can also reveal opportunities for fraud. For instance, a CEO or financial officer out on medical leave can open the way for hackers to imitate that person in a wire transfer request. "They know that that person is a soft target to exploit because their company probably can't reach them," Dorsey says.
Robert Morris
With the advancement of office and healthcare technology, access points for data breaches have multiplied. For instance, multifunction copiers typically have access to the facility's network. "Many of these have hard drives and store that information inside the copier," says Robert Morris, vice president of healthcare and security solutions at Teklinks. "So when that machine goes off-lease, that information can be rolled right out the door. That's a breach."
Besides office equipment, medical devices also pose a large vulnerability with their newer connections requiring internet connections. Researchers at Trend Micro analyzed these medical devices and systems and found that patient data gets exposed by hospitals and practices configuring their network infrastructure incorrectly.
Work-arounds to connect computer systems, applications, or software to work with each other are common and dangerous. Staff may email lab results to a referring physician because their two EMRs differ, for example, which ignores HIPAA safeguards. Web-based emails, such as Google and Yahoo, are equally unsecure. "You've got to know who accessed the data and when," Morris says. "With email, even with a read receipt, you don't know it got to the person who it was intended for."
All certified EMRs, meaning they meet Meaningful Use (MU) requirements, have secure messaging modules that are built to talk to any other certified EMR, no matter the maker. "Many places have it, but they're not using it," Morris says, adding that it could be as simple as a tab on the EMR screen.
Like patient portals, these pathways are secure tunnels for passing and discussing patient information, and include log-in data to verify who received it and when. The function, warns Morris, may come with an additional fee. "But according to MU, you should have it. If you don't know if you have it, contact your vendor," he says.
For those devices and software without secure messaging, Morris says to invest in an interface. This builds the secure pathway for data to flow between two systems or software, such as a lab and a clinic. The customization and ongoing support may run up to $5,000.
"But the alternative could be fines for a breach, and fines are just staggering," Morris says. "Lost patient records can cost millions."
In June, a Texas clinic reported two thumb drives stolen from a home, along with a laptop. The drives contained a total of 18,500 patient records. The Office of Civil Rights, which audits and fines for healthcare breaches, set a $3.4 million fine.
The Department of Health and Human Services report that one-third of all breaches are caused by business associates and third-party vendors. "A provider should not release PHI to anyone, other than patients themselves, without a signed Business Agreement," Morris says.