Despite high-profile hack attacks, like the Anthem breach in which cybercriminals exposed 80 million medical records, the health-care industry continues to shortchange Americans when it comes to protecting their data. That's the key takeaway from a new cybersecurity report from Forrester.
"When it comes to preparedness, they're woefully behind and that, to me, is the most concerning thing," said Forrester analyst Stephanie Balaouras.
"They've done it begrudgingly and they've done it as something that they need to comply with at the lowest possible cost, as opposed to something they really embrace," she said.
"The focus, to date, has really been more on achieving HIPAA compliance rather than overall privacy," Balaouras said. (The Health Insurance Portability and Accountability Act, known as HIPAA, provides federal protections for personally identifiable information held by providers and their associates, and gives patients certain rights regarding that information.)
As much as innovations in health care and connected devices — from GPS-enabled asthma inhalers to wearable tech tattoos that monitor vitals signs — mean improvements in human health and longevity, they also mean more ways cybercriminals can steal private data.
The data can be extremely valuable. Stolen credit cards sell for a just few dollars on the black market, but electronic health records can fetch as much as $50 each. "When you think of a medical record, it encompasses a lot of the same personally identifiable information that a cybercriminal might gain from breaching a retailer," said Balaouras. "But now, they also have more extensive medical information about you."
Forrester predicts that in 2016 hackers will release ransomware for a medical device or wearable.
And unlike credit card theft, which can be quickly resolved, medical identity theft can have long-term effects on individuals personally. "Now your medical record has been corrupted, somebody thinks you've got a certain diagnosis when you don't, or you've been on certain medication when you haven't, so It can have not just financial consequences, but also medical service consequences down the road," Balaouras said.
"Hackers are carefully picking their victim organization, learning its businesses, understanding its partner relationships, and testing for weaknesses and vulnerabilities. To make a lot of money stealing and monetizing personally identifiable information, a cybercriminal organization will want to steal as many records as possible," wrote Forrester in a report looking at the world's biggest consumer data breaches.
Over the last 14 months, the five biggest breaches accounted for 77 percent of all breached records, and the Anthem Blue Cross Blue Shield breach is second only to Home Depot in terms of the number of victims. Premera Blue Cross also made the top five — a September 2014 hack attack breached 11 million customer records.
Yet insurance companies, hospitals and doctors allocate an average of just 14 percent of their IT budgets to security. By contrast other industries, many of which are far less attractive to cybercriminals, are investing upward of 20 percent. "They haven't really thought about themselves as an actual cybersecurity target, I just think, from an overall budget perspective," Balaouras said.
"The fines are getting bigger every year," Balaouras said. New York Presbyterian Hospital and Columbia University agreed to pay the Office for Civil Rights, part of the Department of Health and Human Services, $3.3 million and $1.5 million, respectively, for failing to protect thousands of medical records in 2014.
"There are also reports that the Office of Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA), has a significant pipeline of unprecedented settlement agreements," wrote Forrester.
In light of the rise in hack attacks and the Anthem breach, Forrester has this advice to the industry: 1) adopt two factor authentication for access to databases containing sensitive patient information; 2) use behavioral analytics to identify suspicious behavior and encrypt data; 3) realize that identity protection is no longer a good enough mea culpa.
DHHS declined to comment for this story. A spokesperson for Anthem said there is no evidence that medical information such as claims, test results, or diagnostic codes, was targeted or obtained. Instead, the data accessed may have included names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, and employment information, including income data.
This story has been updated to add a comment from Anthem.