Roughly once a month, every month, there is a new article or report of a hospital held hostage by ransomware; a former employee stealing hospital records; the careless loss of a laptop, smartphone or tablet PC by hospital personnel; or malware that has been quietly shoveling hospital data to a malicious third party.
Why do hospital systems around the U.S. continue to fall victim to black market identity theft?
Hospital Systems Make Ripe Targets
Hospital systems across the country make ripe targets for identity thieves and ransomware for several reasons. Firstly, the new electronic medical records (EMR) systems that are now used by many hospitals were not designed to incorporate extensive security controls, methods or mechanisms as critical pieces of functionality. On the contrary, the EMR systems were developed to provide patient care as the primary functionality. The hospital system will typically have to request these security features be added into a future release.
Additionally, many of the policies, processes and standards within hospitals’ records keeping departments were, much like EMR software, developed with patient care as the first and foremost goal. Data and system security are merely ancillary goals; they are nice to have if you can get them, but not considered critical.
These systems also store patient information in databases. Others use spreadsheets because they are easy for hospital personnel to manage and use. Seldom are databases normalized, encrypted using the best cryptography available or secured either at the table level or field level. And information security teams at hospitals and within hospital systems are often overworked and understaffed.
Every hospital in the U.S. uses a patient’s Social Security number as the primary identifier for all incoming patients. Usually, hospitals use a patient record number as a secondary identifier for data systems within the hospital, such as the diagnostics lab, pharmacy, intensive care unit, etc.
A patient’s Social Security number never expires; they stay with the individual to whom they were assigned for life and even after the individual has died. Social Security numbers not only establish an individual’s identity and citizenship status, but they also serve as the primary anchor for an individual’s educational history, credit history and credit rating.
These are the primary reasons why malicious individuals target hospital systems and will continue to target them in the future.
Read the IBM X-Force Research Report: Security Trends in the Health Care Industry
Who Commits Black Market Identity Theft?
Individuals who wish to immigrate to the U.S. illegally will pay a high price for a new identity: The Social Security numbers for deceased individuals command the highest prices because no administration within the U.S. tracks the usage of these numbers on a routine basis.
Terrorist organizations that aim to smuggle individuals into the U.S. could easily purchase stolen Social Security numbers on the black market. Lone wolf terrorists from other countries who come to the U.S. could indoctrinate themselves into society by acquiring a new Social Security number. With that number comes a ready-made citizenship, credit history and educational history.
For these reasons, children’s general hospitals and children’s research hospitals should be especially diligent when it comes to data security. A child’s Social Security number would be highly prized on the black market because it establishes identity and citizenship status but is not tied to a credit, criminal, educational or residential history.
Combating Black Market Identity Theft
Hospitals should take the following steps to secure protected health information (PHI) and personally identifiable information (PII):
- Deploy and install the most recent technologies (i.e., software, routers, encryption, database security, firewalls) and apply minimum security baselines to all the hardware installed in the environment.
- Be aware of the different hospital systems that handle PHI and PII and implement encryption on all of them.
- Collaborate on technology, policies, procedures, data models, standards and governance.
- Move away from territory-based controls and the siloed support model.
- If PHI and PII is offloaded to one or more databases, select database software that provides encryption, not just obfuscation.
- Stop opting for speed of deployment for EMR technologies at the expense of implementing tight security controls and aggressive security measures.
- Aim to hire individuals with strong information security backgrounds, focusing less on whether the candidate has a background in health care, particularly if that individual will be in an information management role.
- Utilize electronic medical records systems that encrypt data at rest and in-transit using next-generation cryptography and cipher suites.
- Utilize databases in the patient care life cycle that incorporate table-level encryption at a minimum.
- Use mobile device management solutions and data containerization for all mobile device technology.
- When there is a data breach, own up to responsibilities and failures. Provide adequate information to law enforcement so that it can effectively perform its job without unnecessary red tape.
Telemedicine: An Overlooked Security Challenge
Telemedicine is not new in the field of health care, but it has undergone significant advancements with the advent of the smartphone, the tablet and video chat capability. Patient care teams, diagnostics teams and medical specialists can now utilize video conferencing to treat a patient who may be admitted to a hospital in one area while the diagnostics teams and specialists are stationed at a teaching hospital in another state, or even on another continent.
Telemedicine is routinely overlooked from a data protection perspective. While telemedicine-based video conferencing can work wonders for patients, most patient care teams and even patients themselves will not consider a streaming video of their face or body to be a form of PHI or PII. On the contrary, the face and body can both serve as biometric identifiers because they are unique to every individual, just like fingerprints.
Telemedicine and Children
This type of PII becomes especially sensitive information in the field of chidren’s health care where the patient is often under the age of consent. The child may not have parents present in the room while video is recorded or streaming, or the parents may be unaware the care team is utilizing telemedicine. Even if they are old enough to consent, patients may be unconscious and therefore unaware of what is happening.
If the child’s patient care team suggests or recommends the injuries or treatment be photographed or videotaped, parents should ask for a copy of every single photograph or video recording. They should retain the right to object to any photograph or video they feel would not provide value during treatment.
If the child’s patient care team recommends video conferencing to consult with other hospitals or care teams, parents should be allowed in the room every time video conferencing is initiated. Likewise, if the nursing staff leverages video conferencing to connect children in isolation wards with their parents, the child should be dressed and covered appropriately at all times.
Patient care teams should never enter a child’s room without first announcing themselves. They should announce the reason for their entry when the child is using the restroom, bathing or changing clothes. This is especially true if any member of the care team is holding a smartphone or tablet with a built-in camera when entering the room.
The points above don’t just apply to children; they should apply to all patients including teenagers, adults and the elderly.
Parents Must Be Vigilant
Parents should not assume the patient care team will take precautions to safeguard the child’s PHI or PII. In most hospital systems, the first and foremost goal of the patient care team is to treat the patient. Everything else, including securing data, is secondary.
To ensure their child’s PHI and PII are protected, parents should:
- Store all the child’s paperwork neatly in a folder or folio at the nurses station or in the EMR system, particularly if the hospital has a nighttime cleaning staff or high staff rotation rate;
- Make sure all emails exchanged between patient care teams, legal guardians, insurance companies, medical device manufacturers, diagnostics labs, specialists and pharmacies are encrypted without exception;
- Ensure all telemedicine programs incorporate a secure communication channel, next-generation cryptography and public key infrastructure; and
- Verify that all photographs, videos and video conferencing sessions are encrypted every single time a session is initiated, without exception.
Tips for Law Enforcement and Federal Agencies
There are plenty of information security firms that monitor the Dark Web and black market for a wide variety of transactions, such as the sale and purchase of stolen identities. Law enforcement should share information and cooperate with these security firms.
Children in foster care and group homes are probably the most susceptible to identity theft and corruption within hospital systems. Law enforcement, social services and information security firms could partner in a manner that provides a safety net and watchful eye for children who otherwise have no one to care for their long-term future and well-being.
Law enforcement should not assume that the individual responsible for the data breach was acting alone. Collusion on these types of events is possible and will become more prevalent in the future.
Tips for EMR Software Providers
Firms that create and distribute EMR software need to learn and practice defense-in-depth and embrace the concept of secure software design and development. Basic security controls should be in place in the code base in every release.
EMR software should support strong encryption, a wide variety of NIST-approved cryptographic algorithms and cipher suites, mutual SSL and public key infrastructure. The software designed and developed for mobile devices must be capable of supporting data containerization through mobile device management or mobile application management solutions as well.