If you think Target and Neiman Marcus have done a lousy job of protecting your personal information, you may want to have a serious talk with your healthcare provider.
The impact of attacks on major retailers could be tiny compared with what’s likely to happen with even more sensitive data: our electronic medical records. That’s because healthcare organizations are doing an even worse job of protecting it than the big stores are, according to a report to be released tomorrow by cyber-security firm Norse Corp. and the SANS Institute, a security research and educational organization.
According to the report, millions of healthcare organizations have likely had their networks exploited by cyber-criminals or infected with malicious software that can be used to steal patients’ personal health information.
Follow the money, honey
Norse obtained this data by setting up “honeypots” — sensors designed to trap malicious traffic sent across the Internet — and then it traced the data packets back to their sources. Over a 13-month period, Norse uncovered compromised machines at 375 health care organizations. Nearly three-quarters of them were doctor’s offices and hospitals, with the rest divided among other healthcare-related companies.
In addition to computers and networking equipment, compromised devices included printers, video conferencing systems, call center software and X-ray machines. The danger is that attackers could use an “edge system,” an off-the-shelf device like a printer, to ultimately gain access to databases of patient records.
Thieves could then sell your stolen personal health information on the Internet black market, use your credentials to obtain medical services and devices for themselves and others, or bill insurance companies for phantom services in your name.
Medical ID theft is worse than financial identity theft, because there are fewer legal protections for consumers. Many victims are forced to pay out of pocket for health services obtained by the thieves, or risk losing their insurance and/or ruining their credit ratings.
According to a survey conducted by the Ponemon Institute last September, some 1.84 million Americans were victims of medical identity theft in 2013, costing them an estimated $12 billion in expenses. Two-thirds of victims said they paid nothing at all; the other third claimed to have paid an average of more than $18,000 apiece.
(Institute Chairman Larry Ponemon admits that those dollar figures are estimates and that some of the financial data collected in the survey defies easy explanation.)
Worse, someone obtaining medical services in your name could result in inaccurate information being included in your medical records — such as procedures you never had or medications you don’t take — with potentially disastrous results.
All in the family
Are our healthcare records at risk? Absolutely. Do healthcare providers do a poor job of protecting them? If this survey is any indication, then the answer is yes.
But it’s also important to understand what the report did not say.
The report did not uncover any actual breaches of personal health information or find that attackers were targeting these organizations specifically to obtain medical records. It found no evidence that the federal insurance marketplace, HealthCare.gov, has suffered any security breaches.
The compromised systems uncovered in the survey did not include home healthcare monitoring systems or physical fitness trackers like the Jawbone UP, NikeFuel or Fitbit. While connected devices create new opportunities for hackers, there are no confirmed reports of any successful attacks on these things.
In fact, the biggest source of medical identity theft is not some hacker half a world away, it’s the people in the bedroom down the hall. According to the Ponemon survey, roughly a third of all medical ID theft occurs between family members — often an aging parent without insurance who “borrows” a child’s card. Another 30 percent is from people deliberately sharing their medical credentials with someone they know.
Only about 15 percent of medical ID theft is blamed on data breaches or deliberate attempts to steal credentials via phishing emails or fake websites, according to the survey. And that’s a guess at best, Ponemon admits.
Target on your back
Still, the potential for cyber-theft of medical records is huge and growing larger each day. Unfortunately, as with the Target breach, there’s not a whole lot consumers can do to protect their records once they’re in the provider’s hands. The best you can do is to keep vigilant watch over your personal health data and alert your providers if you see anything that looks wrong.
You’ll want to examine the Explanation of Benefits you receive from your insurance company and request copies of your medical records from every healthcare provider, and then dispute any charges that look bogus. You’ll want to keep an eye on your credit reports as well, since unpaid doctor’s bills can affect your creditworthiness. And then hope that your healthcare providers learn how to do a better job of dealing with the dangers of cyberspace before they, too, get hacked.
It’s not very tasty medicine, but it’s what the doctor would order, if he only knew how.
Questions, complaints, kudos? Email Dan Tynan.