Motivations Never Imagined – The Escalating Value of Patient Information to Bad Actors
Every CEO-Entrepreneur takes some pride in their vision, and at FairWarning quite a few things that I forecast well in advance have now come true; identity theft impacting care providers, the need to monitor internal workers with access to protected health information through EHRs and other applications, and even the idea that the Office for Civil Rights would get more serious about auditing for HIPAA. But reality is proving to be more interesting than what I imagined, and the need for real-time information security with coordination between vendors and customers across the industry a necessity.
Specifically, the motivations of cyber security attackers are entirely new and never before imagined. Healthcare providers who are just now thinking about stopping “snooping” are in for an incredible surprise, information security risks are moving exponentially faster compared to the past. Even organizations who have recognized that patient information has a high financial value due to identity theft, medical identity theft, medical fraud, and IRS tax fraud are still lagging the bad guys. It turns out the world is a dangerous place and bad actors see tremendous lasting value in knowing a lot about each of us.
Espionage. In 2015 we learned that deeply personal information, including medical information that goes beyond personal and credit card information is highly coveted by the world’s bad actors. As 2015’s breaches were forensically unwound, our Federal government and the public learned that our adversaries targeted the information of military personnel, veterans, diplomats, defense contractor personnel and others for the purposes of blackmail and espionage. Our adversaries see value in our healthcare information because it has the potential to be used against us forever. There are several breaches involving the healthcare industry, but the OPM breach is the poster-child of very hard lessons learned. If you are an information security or related professional, you should learn about this breach in full. Here is the OPM Wikipedia entry as a starting point.
Blackmail and Ransomware. At the end of 2015 FairWarning held a webinar in which industry luminaries made information security predictions for 2016. One of the more interesting predictions involved healthcare providers being taken financial hostage either through an end-point attack or through an EHR attack. There had been small isolated cases in the past, but nothing significant in recent years. We wondered if 2015’s Ransomware attacks on banks could hit healthcare in 2016 ? Well the wait was over within the first few days of 2016 as the industry learned in mid January 2016 just such an attack occurred.
The most important take-away is that the bad actors are very smart, creative and even the very best information security professionals are struggling to keep pace with what is next.
Politically Motivated Hacktivists. The next specter of what we are seeing is the politically minded hacktivist who wants access to incredibly sensitive patient information in order to shed light on political decisions which impact citizen health. Imagine seeing on-line, the detailed citizen health impact regarding controversial political decisions that negatively impact our environment, workplace, and crucial resources.
Everything Wired is Vulnerable, and Everything is Wired. The hacks and attacks are also growing in creativity, who would have thought the bad guys could perpetrate an identity theft scheme against millions of us by digitally breaking in through the “HVAC” system ? The Internet of Things is going to bring new attacks from base camps never before imagined. Many of the intrusions start with malware and users innocently clicking on links which establish base camp for a network attack from our users’ laptops, other intrusions rely on insiders granting initial access, or even an insider conducting the attack. The Verizon “2015 Protected Health Information Data Breach Report” statistically detailed breaches and found insiders were involved in some way with nearly half of the intrusions.
So what can we do ? We must consider every possible attack vector, assume we can be compromised from every vector until we have proven we have not (repeat this every day), monitor, analyze and respond in near real-time and coordinate across traditional vendors lines against coordinated external and internal attacks, the lines have completely blurred in this area.
There is one prediction I would like to make in wrapping up this blog post, Electronic Health Record vendors will increasingly compete on all aspects of information security including their ability to support real-time security monitoring. FairWarning will lead the way through a vision of protecting and growing trust between patients and care providers.