Patient records have long been one of the most sought-after data sets among cyber attackers, and stolen medical data is a cornerstone of the cyber criminal economy. Personal identifiable information (PII) such as names, dates of birth and addresses can provide huge value to attackers, enabling a wide range of criminal activity. The details can be used to commit fraud directly or can enable a cyber criminal to craft a devastatingly well-targeted social engineering attack to deceive the victim into giving up more information or installing malware.
Records stolen from healthcare providers are a particularly good source of PII because they store so many different attributes about an individual in one place. Our research has found that an average of 74 attributes are held per medical record, compared to an average of 49 across all other types of data.
Further, the data is more likely to be up-to-date and accurate than an alternative source such as a retailer. Individuals are much less likely to lie about things such as their data of birth to their healthcare provider, and there is more of a vested interest in keeping the details correct.
The nature of patient data also enables some unique opportunities for criminals, such as fraudulently acquiring prescription drugs or medical equipment, or filing false claims with health insurance providers.
UK providers leading the way
The good news is that UK healthcare providers appear to be taking this threat seriously – and in fact healthcare data appears to be more rigorously assessed than any other type of data according to our research. Trustwave commissioned industry analyst firm Quocirca to conduct a survey of 500 senior IT managers in the Australia, Canada, Japan, UK and the US and establish how much value they placed on data within their organisation.
The study included organisations from a wide variety of industries, with a focus on finding out what kind of data was considered to be the most important, and how it was managed and secured. One of the most important considerations was whether a risk assessment had been carried out for each data type.
An impressive 90% of UK organisations that hold patient data reported that they had undertaken a comprehensive risk assessment – far ahead of the global average of 79%. The UK even edges ahead of the 85% average in the United States, where healthcare is very tightly regulated by HIPAA, the Health Insurance Portability and Accountability Act.
Our research also found that the respondents believed patient data to be the second most highly valued data subject among organisations, with an average value of $1,500 per record. Only shareholder data was valued more highly, at $1,700 per record, while by comparison, an average consumer record was valued at just over $1,000.
We also found healthcare records to be by far the most valuable dataset available for purchase on the dark web, with each record commanding a mean price of $250. This price tag far eclipsed other commonly stolen data such as bank records, which were valued at just $4 each.
The influence of regulation
When it comes to looking after data, the UK’s global lead is largely due to the number of healthcare organisations operating through the NHS. Alongside this comes fairly strict regulation and the influence of the Information Commissioner’s Office (ICO). The ICO is well known for taking action with organisations found to be breaching the Data Protection Act, with average fines of £114,000 for poor data security, and the largest fine exceeding £400,000.
With a few exceptions, it is a statutory requirement for every organisation processing personal information to register with the ICO. Healthcare providers are also under additional pressure to report IG SIRI (Information Governance Serious Incident Requiring Investigation) at the earliest opportunity and handle their investigation efficiently.
While it’s true that UK healthcare providers are leading the way when it comes to assessing the risks facing patient data, it’s also the case that we see a regular influx of security incidents handled by the ICO. While last year’s WannaCry attack had many providers on edge, it’s important to remember a data breach is not necessarily the work of an attack by cyber criminals. The majority of security incidents that land providers in trouble with the regulators come from within the organisation, such as data that has been accidently sent to the wrong recipient or accessed improperly by an employee.
Keeping patient records safe
The large number of healthcare regulators having regulatory action taken against them is partly due to the higher burden on reporting incidents compared to other private sector enterprises with less regulatory pressure. However, many of these incidents stem from poor data management policies and could be easily prevented.
Risk assessments should be comprehensive and take into account external factors such as third-party vendors and contractors, and the prevalence of bring-your-own-device (BYOD) policies that can make it more likely for data to be shared or lost. We found email security to be a particular blind spot for many organisations, despite the fact that confidential medical data is commonly leaked over email – whether maliciously or through the easy mistake of typing the wrong recipient.
One of the most effective ways of addressing these security issues is to take on a managed security service provider, or MSSP. This will enable the organisation to enhance their responsiveness and remediation abilities, supplementing the abilities of their internal security teams without consuming their budget. Having on-demand access to a team of experienced security practitioners also enables a healthcare provider to dynamically scale up their resources to respond to a crisis.
By combining attention to security best practice with provisions for more advanced incident response and investigative abilities, healthcare providers can ensure the patient data in their care is kept safe from theft or loss.