More healthcare records have been hacked so far in 2017 than any other industry according to the latest report from the Identity Theft Resource Center. In one such example, VisionQuest Eyecare in Indiana reported a recent breach with 86,000 patient records. Hackers are targeting larger databases to collect a greater variety of personal information about consumers, and healthcare is one industry where this data is prevalent. Recent attacks against the healthcare industry show that cybercriminals are acutely aware of the value contained in consumer health records. Medical records are worth ten times more than credit card numbers on the dark web.
The value of healthcare records for hackers
Healthcare data has good resale value for medical billing fraud, as well as patient identity fraud, where an uninsured individual uses the identity and insurance of an insured person to gain healthcare services. The biggest problem for consumers who have been the victims of healthcare fraud is that fraudulent healthcare services and diagnostics are often attached to their permanent healthcare record which could subject them to future risks of incorrect care, or denial of coverage. Once false information has been added or changed on a consumer’s health record, it’s hard to correct. There is often no clear process for validating or changing information that fraudsters or identity thieves might have added or removed. In some cases, incorrect information inserted into or deleted from a patient’s record by fraudsters could become a life-threatening situation if a blood type or other vital piece of information were wrong.
The evolving threat landscape
The gap between the consumer’s expectations that their personal data is protected, and the actual quality of data protection is growing as cybercriminals change tactics. Attacks are far more sophisticated now than even a couple of years ago. NuData saw a 400% increase in sophisticated automated attacks on accounts using compromised consumer data in the last few months of 2016 alone. Today’s healthcare and insurance providers operate in a new world. With the demand for online and mobile healthcare services, health service providers (HSPs) and insurers can take advantage of the many benefits of these online applications while simultaneously protecting their financial risk, customer privacy, and brand reputation.
Most medical facilities and insurance companies have not invested in systems that have insight into consumer behavior and can’t predict and prevent unusual activity, unlike many financial institutions that have been fighting the battle with online criminals since the advent of the Internet. The healthcare industry must seek future-proof solutions to counter these quickly-morphing tactics.
Employing passive biometrics to ensure patient account security
Medical providers need to embrace new technology solutions to combat these quickly-morphing tactics, as well as becoming more cognizant of the severe impact stolen personal data can have on patients. Providers should protect patient information by encrypting data at rest while simultaneously ensuring that best practices are followed for access and transmission. There should be no excuse that 23% of passwords were found to be completely unencrypted by the healthcare providers according to the latest Accenture report; not to mention the ones who were so weakly encrypted that any hacker would find it easy to crack them. This finding demonstrates an inability to provide the very basic security protections.
The use of several multiple authentication modes within the layered technologies of passive biometrics provides an in-depth understanding of how users behave online, before, during and after they log in. This knowledge allows healthcare organizations to protect patient accounts even if credentials have been stolen because they are not the only methods used to unlock the account.
Using passive biometric analysis in the authentication technology stack empowers organizations with the end-to-end ability to identify stolen or breached credential use and secure the user accounts is vital -- without making the experience complicated or painful for the account holder. The technology also provides options for HSPs to decide when and to whom to apply the appropriate amount of friction needed for further investigation.
It is imperative that every level of the healthcare industry take immediate action to secure patient data from theft and misuse and ensure appropriate controls are in place. This attention to protecting patient data should also extend to the development of a process with a designated stakeholder to make sure patient records that have been tampered with can be cleansed and authenticated.
Robert Capps is the vice president of Business Development for NuData Security.