Information leakage cases in healthcare

Apply for SearchInform DLP TRY NOW

Leakage of personal information from medical institutions is a common type of information security incidents. With the development of technology and the "transfer" of information into an electronic form, information leakage occurs more and more often. In 2017, according to the Breach Level Index, 228 incidents were recorded in the healthcare sector, as a result of which at least 33.7 million medical records were compromised. Annual observations confirm that patient data is one of the three most valuable trophies for fraudsters and at the same time remains among the most vulnerable information in terms of information security.

The reason the healthcare sector remains the number one target for outside attacks and malicious insiders is the value of data. As a result of theft or compromise of medical information, patients incur material and moral damage, and the reputation of medical institutions deteriorates. The Medical Identity Theft Alliance conducted a survey, during which it found that in 90% of cases, patients felt uncomfortable after personal data leaks from healthcare institutions. For 19% of victims of leaks, relationships with colleagues and employers worsened, 3% of victims even had to change jobs.

Every third patient risks becoming a victim of information leakage due to the fault of a medical institution. Large leaks occur most often as a result of targeted hacking of information systems and IT products. The increase in the number of accidental leaks is mainly due to improper disposal or archiving of medical papers. Recently, a similar incident occurred in the Sverdlovsk region, where dozens of case histories and dispensary books dated 1989 were found in the district center in an old polyclinic building. The documents contained personal data of patients and diagnoses. For violation of the law on the storage of personal data, the clinic was fined 25 thousand rubles.

Among the largest cases of information leaks of recent times, experts point out:

  • Community Mercy Health Partners Incident: Medical records ended up in public trash cans through the negligence of company employees. At least 113,000 patients were affected by the leak.
  • Incident at Premier Healthcare, LLC: corporate laptops were stolen from the company, on which information was stored in an unprotected form. Passwords on laptops were the only way to protect data. As a result, the data of 205 thousand patients were declassified.
  • Incident at Radiology Regional Center, PA: Leakage of printed documents occurred during delivery to a waste recycling plant. This is at least 483 thousand medical cards with patient data.

Ministries of health around the world allocate funds to ensure the full operation of medical institutions. However, the management of clinics and hospitals prefers to channel money into developing new technologies and supporting current treatment protocols. Information security is given much less attention than information security standards require. Fraudsters know that sensitive information is weakly protected, so they regularly try to break into medical databases.

The Quick HIT Survey, commissioned by Healthcare IT News and HIMSS Analytics, found that nearly 75% of healthcare facilities in the United States are regularly affected by hacker attacks and malware. Ransomware, or ransomware, is a serious threat. The software encodes the data systems, after which the attackers demand a ransom for decrypting the information. Malicious software harms both the material and technical base of the hospital and patients.

How do scammers use information from stolen medical records?

Medical records are highly valued by cybercriminals whose goal is to gain access to diagnoses and personal data. For example, in Russia, fraudsters identify the insured under the voluntary health insurance program and “help” lure patients to other medical institutions.

Another type of fraud with medical data is that fraudsters under the guise of physicians or representatives of pharmaceutical companies advertise goods or services, most often drugs without state registration and dietary supplements. Attackers not only use medical history, but also information about single women and the elderly - the most suggestible social groups.

After the leak of medical data, fraudsters build and sell their own databases, and often demand a ransom. In May 2017, the Grozio Chirurgija plastic surgery clinic in Lithuania suffered from cybercriminals who hacked into the database and posted at least 25 thousand personal data and photos of patients on the Internet. Ransomware hackers have earned over a million dollars from the stolen information.

Any form of medical information brings great profit to cybercriminals. Security experts reckoned that data from a medical card, even fragmentary ones, was valued on the black market at hundreds of dollars, while data from bank cards was only at a dollar. The value of patient information is related to at least two circumstances:

  • In addition to passport data, medical records contain data on social security numbers. The kidnappers can issue a fake credit card in the name of the victim, and then bill companies or the state under a false name for the medical services that were not actually performed.
  • Information from medical records is constant and does not lose relevance over time. This means that it is a liquid product that can be traded on the black market for a long time or used for personal purposes, for example, to sell your own drugs.

Medical institutions are committed to solving the problem of leaks and protecting critical information, because it is about health and saving lives. According to forecasts of the research company ABI Research, by 2020 it is planned to allocate up to $ 10 billion to protect medical information.

In Russia, attempts have been made to protect medical data at the legislative level. Since 2009, there has been an order “On approval of the Unified qualification reference book of executive positions”. The healthcare section of the document provides qualifications for managers and employees responsible for data security. After the approval of the document, more personnel from the field of data protection from leaks began to work in hospitals and clinics, but the provision of information security personnel in medicine still leaves much to be desired.

Methods for protecting medical information

Medical data needs enhanced protection against leaks, hacks and theft. According to a study by HIMSS Analytics, only 25% of clinic managers monitor the safety of the received data in accordance with established standards. There are still few examples when clinics and medical institutions or entire countries are introducing new effective protection technologies:

The Albert Schweitzer Ziekenhuis Hospital in the Netherlands , where 4,000 employees treat up to 500,000 patients annually, uses disposable tokens and a cloud server to authenticate in the system. This ensures the confidentiality of information at a high level, and also gives employees access to the premises of the institution on demand.

Back in 2008, Sweden was one of the first to start developing a national system "Electronic Health Record". The main task that the government has set for the developers is to ensure maximum protection of medical data. For two-step identification, the system uses smart cards, logins and passwords with digital signatures. This helps keep track of what employees are doing with patient and clinic information. Patient information is generated on the basis of the National Patient Overview online portal, and all patient documentation is stored on Electronic Healthcare Records electronic medical records. Prescriptions are also issued electronically.

The Fraser Health Authority in Canada has developed a system of certificates: about 26 thousand middle and junior staff and 2.5 thousand doctors received smart cards to access records. The measure helped protect patient data from leaks, reduce operating costs, improve labor discipline and quality of work.

The Swedish and Canadian models performed well in 2017, and now more attention is paid to the protection of health information. The development of a security system for smartphones has begun, which is less protected from hacker attacks. Among the developments are systems based on Bluetooth. As planned, a personal e-ID adapter is tied to the phone. The system recognizes and processes the employee's smart card, and then opens access to the data. This will provide specialists with greater freedom of action, allow them to sign documents remotely and issue electronic prescriptions.

Electronic IDs and tokens are already successfully used in the healthcare system of developed countries, since they protect information and provide quick access to information. At the same time, to prevent leaks and theft of information, it is necessary to select a protection system taking into account the characteristics of the medical institution. Complex solutions will help to avoid hacker attacks and accidental spread of information outside the medical institution.