- The large fiscal cost to individual victims stemming from medical identity theft is just one of the key ways that healthcare data breaches affect patients, according to a recent report from the Institute for Critical Infrastructure and Technology (ICIT).
Healthcare cybersecurity attacks are much more prevalent and common because the industry typically has weaker approaches to data security, states “Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims.”
“Vulnerable legacy systems and devices that lack the ability to update and patch are Frankensteined into networks possessing newer technologies that can be updated and patched,” the report’s authors wrote. “As a result, the organization’s IoT microcosm becomes collectively vulnerable as effective layers of security cannot be properly implemented.”
Furthermore, executives often make “budget-line decisions that shift the risk of compromise onto the patients,” which could then put their personal data at risk.
“The consequences of these decisions made in far-off board rooms can haunt a patient for the rest of their life if an attacker compromises a healthcare database, exfiltrates EHRs, and repeatedly sells the information to be used for medical identity theft and other forms of fraud,” reads the report. “Due to antiquated security, healthcare systems are relentlessly and incessantly compromised by swarms of script kiddies, cybercriminals, self-radicalized lone wolf threat actors, and nation state advanced persistent threats.”
Patients will bear the brunt of the long-term effects stemming from healthcare data breaches, even though they had no choice in how their data was stored or what was used to protect their information, according to the report. Covered entities cannot continue to cut their cybersecurity budgets, procrastinate updating systems, put off updating their medical devices, or continue to “Frankenstein” those devices.
However, ICIT points out that medical identity theft can often be very difficult to detect at first, as it is much more difficult to discover than regular financial fraud. Consumers also do not always read their explanation of benefits and may not understand the itemized bills of services their providers send.
“Due to the longevity of the record, adversaries may continue to exchange and exploit the compromised information for the rest of the victim’s life,” the report’s authors concluded. “For some, such as children, this can drastically hinder their future financial stability and limit the potential lives that they could lead.”
Covered entities need to create comprehensive and strong cybersecurity practices, while also ensuring that they are not practices that focus on just one area of security. Earlier this year, ICIT released a report explaining that organizations should introduce a cyber hygienic and security-centric culture.
The National Institute of Standards and Technology (NIST) released a draft to assist inventors in considering information security needs in all stages of product development. According to ICIT Co-founder and Senior Fellow James Scott, covered entities should use that report as an introduction to proper cyber hygiene.
A poor approach to healthcare cybersecurity could include not having data properly backed up in a secure place, and then if a data security incident occurs, everything from PII exfiltration to patient billing could be affected, Scott told HealthITSecurity.com in May 2016.
“It could affect them in a lot of ways, and I think that hospitals and insurance companies and public companies, in order to get some of them to move on these standards, they have to really feel the economic punch in the gut.”