- Learning the main motivational factors behind healthcare data breaches, how that data is monetized, and utilizing federal law enforcement agencies are all key factors in preventing future attacks, according to Brookings Institution’s Center for Technology Innovation Fellow Niam Yaraghia.
The banking industry has adopted several successful methods when it comes to data breach prevention, as well as proper approaches when reacting to security incidents, Yaraghia wrote in a US News opinion piece.
“Immediately after the breach of credit card data, all affected consumers are notified, their old credit cards are frozen and new ones are issued,” he explained. “The process is so quick and efficient that consumers often face considerably less harm from a credit card data breach, especially because many credit card issuers now provide fraud liability coverage to their consumers and insure them against fraudulent charges.”
In contrast, the healthcare industry panics, has mandatory reporting, and identity theft protection services are only used in some cases. There is not a viable strategy or technology that can effectively reduce healthcare data breach negative responses.
Knowing exactly how the information might be misused after an attack is an essential first step, Yaraghia urged.
“Banks can often prevent hackers from using stolen credit card information simply because they are better versed in how hackers monetize that data, and thus have designed strategies to combat it,” he said. “Despite the public concerns over health care privacy breaches, we do not know exactly why hackers are interested in stealing medical data or how exactly they monetize it.”
While it is often reported that the value of a medical record is greater than financial data alone, Yaraghia maintained that there is confusion about the actual value of medical records on the black market. The range of value for one record varies between $1 and nearly $500, he wrote.
Even if a hacker obtains medical information, he likely wanted the financial information. The two are stored together in healthcare organizations that often have poor information technology practices.
Independent research institutes are in a good position to find out how healthcare information is potentially being monetized, while federal agencies like the Department of Health and Human Services Inspector General have the experience to determine which criminal organizations use stolen data maliciously.
“The first step to overcome this limitation and better protect patients' privacy is to identify the incentives behind hacking attacks and classify all the possible ways through which the stolen medical data could be misused,” Yaraghia said. “We still have much to learn about why hackers go after medical data and how they monetize it. These government agencies could help us do just that.”
Yaraghia has previously written about how the healthcare industry can make improvements when it comes to data breach prevention measures. In May 2016, he wrote in a research paper how better communication, a universal HIPAA audit certification system, and greater use of cyber insurance could be beneficial.
Not only do healthcare organizations hold valuable information, but they often were found to have embraced information technology too late and too fast. There were also not strong financial incentives at first to prevent privacy breaches.
“Information sharing about security technologies, privacy policies, and breach incidents should take place among health care organizations and also between health care organizations and federal agencies,” Yaraghia wrote in the paper. “Health care organizations should be encouraged to use the full potential of currently available platforms to better share information amongst themselves.”