The global healthcare sector has seen no shortage of data breaches in recent years, many of which occurred due to organizations’ access to vast amounts of personal health information (PHI), insufficient security awareness, and increasing reliance on internet-connected technologies. Healthcare organizations in the United States, however, face additional cybersecurity challenges due to a factor that remains largely beyond their control: the composition of the U.S. healthcare system.
Legislation & Compliance
While healthcare organizations around the world operate under a bevy of country-specific regulations, some of those implemented in the U.S. correlate strongly with the increase in large-scale healthcare data breaches in recent years.
More specifically, when the American Recovery and Reinvestment Act (ARRA) was passed in 2009, it mandated that all U.S. healthcare organizations adopt Electronic Medical Record systems (EMRs) by 2014. By pressuring organizations to adopt these new technologies -- despite the fact that many lacked sufficient time, resources, and technical expertise to implement and maintain EMRs securely-- ARRA ultimately facilitated many of the security vulnerabilities that plague the U.S. healthcare sector today. Indeed, the frequency of ransomware attacks, extortions, and other malicious cyber campaigns targeting U.S. healthcare organizations has increased substantially since the widespread adoption of EMRs.
Even worse, HIPAA compliance remains the only security requirement not just for EMRs but for the U.S. healthcare sector in general. Although HIPAA’s Security Rule was created to ensure the security of PHI stored within electronic systems, the rule has not been amended since its creation in 2003 and as such, it fails to fully-address the security concerns inherent to many of today’s EMR technologies.
However, perhaps HIPAA’s most substantial flaw is that it does not require healthcare organizations to employ encryption. As a result, many organizations store PHI in plaintext, which renders it far more vulnerable to abuse in the event of a breach. And while many organizations recognize the critical need to encrypt patient data, others may falsely believe that as long as they remain compliant with HIPAA, their systems and data will be secure.
Consequences from 2016 breaches
The continual adoption of EMRs combined with insufficient security compliance regulations ultimately helped contribute to the record-breaking number of data breaches that struck the U.S. healthcare sector in 2016. When the Deep & Dark Web consequently became inundated with an unprecedented surplus of stolen PHI, the black-market value of PHI plummeted. As a result, cybercriminals who had once depended on PHI sales as a reliable source of income could no longer do so and were forced to change their tactics.
But rather than abandon this abundance of PHI, cybercriminals determined how to profit from PHI by leveraging it within other fraudulent schemes -- some of which rely on aspects of the U.S. healthcare system.
Privatization & High Costs
The U.S.’s largely-privatized health insurance system is one such aspect. Unlike the universal healthcare provided in most other countries, the majority of U.S. taxpayers receive healthcare coverage through private insurers. And as these insurance costs continue to rise, more people are turning to high-deductible insurance plans because they tend to have more-affordable premiums and come with the added bonus of Health Savings Accounts (HSAs).
Consequently, HSA fraud has grown increasingly common since 2016, around the same time that a prolific threat actor operating on the Deep & Dark Web suggested leveraging PHI to target victims with HSAs. This actor also encouraged using the information contained within PHI records -- such as social security numbers, contact information, etc. -- to first access the victim’s credit history via a free online credit monitoring service. This tactic enables cybercriminals to identify the most profitable victims -- those with high-value HSAs and high credit scores.
As high-deductible insurance plans and therefore HSAs grow more popular, the pool of individuals susceptible to HSA fraud is increasing. In fact, recent estimates suggest that currently, there are over 20 million HSA accounts holding nearly $37 billion in assets for U.S. taxpayers. These figures represent a year-over-year increase of 22% for HSA assets and 20% for accounts.
Although U.S. healthcare organizations have little control over certain factors contributing to their susceptibility to data breaches, many factors are within their control. Above all else, organizations must recognize that achieving better security requires going beyond compliance.
Raising security awareness, requiring stringent password hygiene, strengthening user-access controls across all systems and databases, regularly updating all technologies and software, enforcing acceptable use and “bring your own device” policies, and encrypting patient data can all help healthcare organizations become more secure. And since many healthcare-specific threats originate from the Deep & Dark Web, working with a reputable vendor to gain visibility into these online regions can enable organizations to address these threats proactively.