Healthcare Information is a Gold Mine for Hackers
With the advent of wearables the issue of personal data security surfaced to a new level of concern. Most of us who use FitBit or Apple Watch never think about the fact that our healthcare information is freely, without our consent, spread to many, sometimes undesirable for us, parties. In our earlier news report we see this
“…a report by Privacy Rights Clearinghouse also indicated that 40% of 43 fitness apps collected high-risk data, including addresses, financial information, full name, health information, location and date of birth. The report also found 55% of those 43 apps shared data with third-party analytical services that could potentially link data from the fitness and health apps to other apps, potentially linking health data to other identifying information about the user.”
In this news aggregation file we provide several recent findings:
- Brief overview; “Hide Your Health”, by Matthew R. Langley published in the Georgetown Law Journal. “… consumer wearables … continue to provide the platform for companies to, quite literally, profit from our heartbeats”
- Results of KPMG Survey: increase of malware attacks on healthcare organizations in the past two years. A very good visual infographics explains why your healthcare data is more valuable to hackers that your stolen credit card.
- Why is Healthcare Data so Valuable? By Absolute - Data breaches cost the healthcare industry an estimated $5.6 billion annually. “… healthcare records fetch more on the black market than credit card data. A single health record can sell for $20 and a complete patient dossier can sell for 500 bucks.”
81% Of Healthcare Organizations Have Been Compromised By Cyber-Attacks In Past 2 Years: KPMG Survey
SOURCE KPMG LLP
NEW YORK, Aug. 26, 2015 /PRNewswire/ -- Eighty-one percent of health care executives say that their organizations have been compromised by at least one malware, botnet, or other cyber-attack during the past two years, and only half feel that they are adequately prepared in preventing attacks, according to the 2015 KPMG Healthcare Cybersecurity Survey.
Furthermore, in polling 223 chief information officers, chief technology officers, chief security officers and chief compliance officers at health care providers and health plans, KPMG found the number of attacks increasing, with 13 percent saying they are targeted by external hack attempts about once a day and another 12 percent seeing about two or more attacks per week. More concerning, 16 percent of healthcare organizations said they cannot detect in real-time if their systems are compromised.
"The vulnerability of patient data at the nation's health plans and approximately 5,000 hospitals is on the rise and health care executives are struggling to safeguard patient records," said Michael Ebert, leader in KPMG's Healthcare & Life Sciences Cyber Practice. "Patient records are far more valuable than credit card information for people who plan to commit fraud, since the personal information cannot be easily changed. A key goal for execs is to advance their institutions' protection to create hurdles for hackers."
Greg Bell, who leads KPMG's Cyber Practice, feels also that many organizations not seeing frequent cyber-attacks may underestimate the threat. "Healthcare organizations that can effectively track the number of attempts have less cause for worry than those who may not detect all of the threats against their systems," said Bell. "The experienced hackers that penetrate a vulnerable health care organization like to remain undetected as long as they can before extracting a great deal of content, similar to a blood-sucking insect."
When asked about readiness in the face of a cyber-attack, 66 percent of execs at health plans said they were prepared, while only 53 percent of providers said they were ready. Larger organizations, in terms of revenue, are better prepared than smaller ones.
Malware, software designed to disrupt or gain access to private computer systems, is the most frequently reported line of attack during the past 12 to 24 months, according to 65 percent of survey respondents. Botnet attacks, where computers are hijacked to issue spam or attack other systems, and "internal" attack vectors, such as employees compromising security, were cited by 26 percent of respondents.
According to the KPMG survey, the areas with the greatest vulnerabilities within an organization include external attackers (65 percent), sharing data with third parties (48 percent), employee breaches (35 percent), wireless computing (35 percent) and inadequate firewalls (27 percent).
The KPMG survey found that spending to prevent cyber-attacks has increased at most institutions, but it has to be on the right initiatives and fit the organization's strategy, said KPMG's Bell. "There are no cookie cutter approaches to security," offers Bell. "An organization with a mobile workforce may have a far different technology need from an organization that processes healthcare claims, for example."
About KPMG LLP
KPMG LLP, the audit, tax and advisory firm (www.kpmg.com/us), is the U.S. member firm of KPMG International Cooperative ("KPMG International"). KPMG International's member firms have 162,000 professionals, including more than 9,000 partners, in 155 countries.
Hide Your Health: Addressing the New Privacy Problem of Consumer Wearables
MATTHEW R. LANGLEY
Georgetown Law, J.D. 2015; Sonoma State University, B.A. 2012. © 2015, Matthew R. Langley.
This is a brief summary of detailed overview on the subject that was published in the Georgetown Law Journal. The full text can be downloaded here
Consumer wearables present a new way for individuals to communicate sensitive, personal information about themselves. These same devices also provide a new way for companies to collect intimate data about individuals. Old laws must adapt to modern times in the same way that old methods of communication evolved with technology. A relatively unknown loophole in
section 2702(c)(6) of the SCA allows health apps to freely disclose its customers’ sensitive health information. But are people comfortable with companies knowing how truly lazy they are? How stressed they get around the holiday season? How their heart rate skyrockets whenever they are around certain people? How well they sleep? If not, Congress should step in and stop this widespread disclosure before it becomes irreversible. Until congressional intervention occurs, consumer wearables will continue to provide the platform for companies to, quite literally, profit from our heartbeats.
Here is the list of discussed issues:
I. WEARABLE TECHNOLOGY: A NEW ERA OF PRIVACY CONCERNS
A. Consumer wearables allow individuals to communicate their personal health data
B. Without adequate legal strictures in place, health-app companies are free to sell personal health data obtained through wearables
II. INAPPLICABILITY: CONSUMER WEARABLES DO NOT FIT WITHIN THE CURRENT HEALTH-RELATED REGULATORY SCHEMES
A. HIPAA’s privacy protections do not apply to health apps
B. The FDA will not regulate consumer wearables or their associated health apps
III. INADEQUACY: THE ECPA APPLIES TO HEALTH APPS, BUT DOES NOT LIMIT THEIR ABILITY TO DISCLOSE PERSONAL HEALTH DATA TO THIRD PARTIES
A. A brief primer: enacting the SCA provisions of the ECPA
B. The SCA limits certain service providers from disclosing the contents of communications, but does not prevent disclosure of customer records
1. As Either an Electronic Communication Service or a Remote Computing Service, Health Apps Are Regulated by Section 2702 of the SCA
2. The SCA Treats Personal Health Data Obtained Through Wearables as Customer Records Instead of Content
Video: Why is Healthcare Data so Valuable?
Data breaches cost the healthcare industry an estimated $5.6 billion annually.This isn't surprising since 90% of healthcare organizations reported at least one data breach in the past 2 years - and 38% reported more than 5.
But why would anyone be interested in boring ol’ healthcare data?
Because healthcare records fetch more on the black market than credit card data. A single health record can sell for $20 and a complete patient dossier can sell for 500 bucks.
Cybercriminals have suddenly started to care for the sick – or at least for their lucrative PHI. Data breaches often lead to regulatory non-compliance as well as costly court cases and class-action suits that result in devastating penalties and settlements.
Make sure if your data breach nightmare comes true – you have controls in place to protect your data.
Image by KPMG