THE illicit sale of health care information is now more valuable than ever before — millions of medical records are being sold on the black market, putting both patients and health care organisations at greater risk of data compromise.
Health care organisations are desperately trying to detect and stop theft, but unfortunately, some hospitals are still in the process of transitioning from paper patient records to electronic health records — far behind other industries such as the Australian banking sector. As a result, there is significantly less protection in place to stop sophisticated cybercriminals.
Why are medical records being stolen?
According to the recent 2020 State of Password and Authentication Security Behaviors Report by the Ponemon Institute, a majority (59%) of individuals are most concerned with protecting health-related information — and rightfully so. There are many different reasons why medical records are of value for a cybercriminal. In some cases, an attacker will try to use the victim’s private health care or Medicare benefits; other times, the records are used as a form of identity to fraudulently obtain credit in the victim’s name, and in rare situations, stolen medical records are used for blackmail and extortion.
Health records contain highly sensitive personal information, which can sell for as much as $1000 per health record according to the recent 2020 Vision Report by CyberMDX. In contrast, tax file numbers cost about $22 and stolen credit cards sell for just $1.50–$4.50, according to Ernst and Young.
Emerging cyber threats to health records
According to a study from researchers at Bond University, there are now more than 250 000 fitness and health apps available, but there is still very little evidence to show they actually work. This means more attack points and greater opportunities for cybercriminals, particularly during a time of crisis such as the global coronavirus disease 2019 (COVID-19) pandemic. In times of crisis, hackers thrive on fear, uncertainty and doubt to trick unsuspecting or distracted users into revealing sensitive credentials or downloading malware. To make matters worse, the interconnected nature of the health ecosystem means a breach can have a detrimental and far-reaching effect throughout the health care system. As more third parties enter the health supply chain, the potential problem will continue to escalate.
New cyberattacks against health care organisations across the world are reported every week and are growing rapidly at hospitals and health care providers in Australia. Posing significant threats to health care organisations are malicious insider threats and poor internal processes and ransomware, which accounts for 17% of data breaches in Australia, according to a report by Carbon Black.
Email also continues to be a primary attack vector, as most phishing attempts are executed via email. For example, a recent Osterman Research white paper cited a widespread phishing attack against Monash in vitro fertilisation (IVF) clinic in November 2019, which became apparent when patients received phishing emails using Monash IVF email accounts.
Combating the threat with strong authentication
Better awareness and understanding of cybersecurity risks, strategies and operations in the boardroom and at the executive manager level is essential to the overall functioning of cyber-resilient health care organisations. Health security professionals must be empowered to work proactively to prevent malicious attacks and data breaches, which starts with standard risk management processes.
Strong multifactor authentication (MFA) is the first line of defence to ensure that sensitive information can be securely accessed, and is a critical component of any enterprise risk management strategy. MFA not only needs to safeguard internal employees but external partners, vendors, and contractors as well – poor authentication processes from a third party vendor could undermine an organisation’s entire security foundation.
Not all MFA is equal, making it critical for health care organisations to consider user preference, authentication scenarios, and physical points of entry when selecting and implementing MFA tools and workflows. For example, many health care workers access accounts from mobile devices, on shared workstations, or even in mobile-restricted environments where phones are not permitted.
MFA approaches can be categorised on a continuum from good to best with many common authentication methods — such as SMS codes and mobile authenticator apps — still leaving users vulnerable to human error, poor usability, or phishing attacks. According to a recent Google study, the most effective authentication mechanism to prevent account hijacking 100% of the time is physical security keys, offering both a high level of security and usability.
Ultimately, cybersecurity solutions that are reliable, easy to use, and flexible are critical for health care organisations to mitigate security risks without hindering productivity and should not be considered as an afterthought. Proactive deployment of a strong security foundation, beginning with strong authentication, is key to combat cyberattacks.
Geoff Schomburgk is Regional Director for Australia and New Zealand of Yubico.
The statements or opinions expressed in this article reflect the views of the authors and do not represent the official policy of the AMA, the MJA or InSight+ unless so stated.