Don’t Give up the Goods

Why hackers want your medical records

By: Christopher Hegg

Many hackers consider your medical records to be low-risk, high-value targets. These records can be obtained fairly easily and are sought-after on the underground cyber exchanges, and the chance of the hacker being exposed is minimal. Even though millions of medical records have been stolen in the United States recently, analysts are predicting a sharp increase in cyber-attacks on hospitals and doctors’ offices.

Hackers already know identity theft is the most lucrative of all cybercrimes. They also know the best way to effectively hijack an identity is by having as much information on the victim as possible. Medical records are the best way to have a complete profile on someone. Personal information that can be mined from an individual’s medical record can include name, address, birth date, Social Security number, employment information, financial records and much more. Armed with this kind of information, the criminal can do everything from apply for loans to drain the equity out of a person’s home.

Criminals are willing to pay 20 times more for stolen medical records than they are for stolen credit card numbers. However, this is not the only reason hackers have turned to this specific theft in such large and growing numbers. Medical systems in hospitals and clinics are often outdated and easier to break into. Security was never of primary concern to the original software designers to begin with, and the sophisticated techniques hackers use today easily exploit the vulnerabilities of these medical databases.

For these reasons, the time it takes to discover a breach of security is greatly increased. This gives hackers a comfortable window of opportunity to take what they want and gives the stolen merchandise a longer shelf life before the victimized parties are alerted. Thus, we now have a situation where the medical community is in a race to modernize these systems before more damage is done. However, the process is slow and tedious, and more cyber criminals are getting in on this kind of crime in record numbers.

Identity theft is especially prevalent in Arizona, which had more victims per capita than any other state in 2010, with about 149 victims for every 100,000 residents. California, Florida, Texas and Nevada also were leading states for identity theft, according to Federal Trade Commission data. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules establish federal requirements for keeping health information secure.

The HIPAA Breach Notification Rule requires most doctors, hospitals, other health care providers and health insurance companies to notify if a “breach” of unsecured information about a patient is seen by someone who is not supposed to see it. This federal law also requires health care providers and insurance companies to promptly notify the Secretary of the U.S. Department of Health and Human Services if there is any breach of unsecured protected health information and notify the media and public if the breach affects more than 500 people. This requirement helps patients know if unsecured protected health information has been breached and helps keep providers accountable for the protection of their health information.

Conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by an organization is a requirement of HIPAA. Taking this first step proactively helps protect your practice from these malicious attackers, and helps you keep the confidence of your patients.

For more information, call 800-955-2596 or visit www.corerecon.com.

 

Photo Courtesy of CoreRecon

Posted in Uncategorized