Healthcare records were digitized to help prevent medical errors such as misdiagnoses and mistakes with medication, but electronic health records (EHR) have made it easier for bad actors to steal patients’ highly personal information.
Cyberattacks on hospitals are “increasing exponentially year after year,” Ellen Neveux wrote in secure remote access provider SecureLink’s blog.
“Healthcare data is valuable on the black market because it contains all of an individual’s personally identifiable information, as opposed to a single marker that may be found in a financial breach,” Neveux stated. Often, these attacks see “hundreds of thousands of patients’ data compromised or stolen.”
That data can be used by crooks for financial fraud such as filing false tax returns or applying for credit using a stolen identity.
Healthcare IT professionals’ greatest fears are stronger or more frequent cyberattacks, and users ignoring security guidelines, as stated by security software firm Netwrix in its 2020 Cyber Threats Report.
The number of reported healthcare data breaches and of breached records fell between January and June, but cyberattacks are expected to surge through to the end of the year, according to cybersecurity firm CI Security.
That’s because patient medical records “are worth as much as 10 times more than credit card numbers on the Dark Web,” CI Security maintains. “Healthcare organizations will require more cybersecurity vigilance than ever before.”
Big Tech in Healthcare
Google, Microsoft and Apple have all entered the healthcare field, while Facebook has announced plans to do so.
Google’s efforts include the Google Cloud for healthcare and life sciences; signing a 10-year strategic partnership with the Mayo Clinic under which it will store and secure the clinic’s data; and working on an EHR model that uses machine learning to forecast and predict patients’ health outcomes.
Microsoft will launch the Microsoft Cloud for Healthcare at the end of this month, which will provide self-service portals and applications that help patients interact directly with health teams, among other things.
Facebook is offering a preventive health tool in conjunction with health organizations in the United States, such as the American Cancer Society and the American Heart Association, that connects people to health resources and reminders for checkups and vaccinations.
Information users provide will be “securely stored and access is restricted” to company staff who work on the product or maintain its systems, Facebook stated.
Big Tech’s Ongoing Data Privacy Issues
Google and Facebook have a poor record when it comes to data privacy, both having been fined repeatedly by the European Union for breaching privacy laws.
Here in the U.S., the Federal Trade Commission in 2012 fined Google US$22.5 million for circumventing privacy protections on the Safari Web browser to track iPad, iPhone and Mac users on Safari.
Last year, the FTC fined Google and YouTube $170 million for violating child privacy laws.
Right now, Google is fighting a $5 billion lawsuit in the U.S. for covertly tracking consumers’ Internet use through browsers set in “private” mode, whether or not they click on ads it runs. The company is also facing a lawsuit over tracking consumers in apps even when they opt out.
As for Facebook, the FTC last year slapped it with a $5 billion fine and sweeping new privacy restrictions for violating consumer privacy.
The social media giant was fined about $650,000 by the UK for its part in the Cambridge Analytica scandal, where millions of Facebook users’ personal data was harvested without their consent.
In March, a database containing 309 million Facebook users’ IDs, phone numbers and names was left exposed on the Web for anyone to access without requiring a password or other form of authentication, privacy advocate and tech writer Paul Bischoff wrote in pro-consumer tech website Comparitech. That data was also posted to a hacker forum as a download.
Later in March, a second server was exposed on the Web, apparently by the same criminal group. This contained 42 million more records than the first.
Apple and Microsoft have not faced these issues to date, but in January Microsoft exposed nearly 250 customer service and support records on the Web, Bischoff reported.
These contained logs of conversations between Microsoft support agents and customers worldwide between 2005 and December 2019. The data was accessible to anyone with a Web browser and “could be valuable to tech support scammers in particular,” Bischoff said. Such scammers often claim to be Microsoft representatives and try to talk victims into allowing remote access to their computers.
“Cloud security is like voodoo,” Shustin wrote. “Clients blindly trust the cloud providers and the security they provide.”
Most popular cloud vulnerabilities focus on the security of the client’s applications, and not the cloud provider infrastructure itself, Shustin stated. “We wanted to disprove the assumption that cloud infrastructures are secure.”
In July, cybercriminals hijacked more than 240 websites hosted on Azure. This was “a subdomain takeover, which is a common industry-wide threat,” a Microsoft spokesperson said at the time, in a statement emailed to bluehillco by Rhoades Clark from Microsoft’s PR firm WWE-Worldwide. Microsoft subsequently issued guidance on how to prevent this from happening.
Fear and Loathing Among Consumers
There is little trust that Facebook will adhere to its pledge of maintaining privacy.
“As many market watchers know, what Facebook says it will do and what Facebook actually does in practice are two different things,” Victoria Rohrer wrote for financial and investing advice firm The Motley Fool.
The high-tech companies all say they will remove personally identifiable data, but that may be an empty promise, especially if they are partnering with healthcare institutions.
“Theoretically the tech company should not be able to re-identify the patient from a de-identified data set but, when the tech company already has vast quantities of information on just about everyone, the likelihood the individual could be identified does increase,” Marti Arvin, executive advisor at healthcare cybersecurity consulting firm CynergisTek, told bluehillco.
For example, Google tracks people through smart home devices, smart cars, Google Assistant on their smartphones, possibly through their use of Google Voice and Google Fiber, and their searches online. A recently introduced feature in Google Assistant makes personalized recommendations of restaurants and recipes based on the user’s search history and smart device data.
This “reconfirms the emerging trend of using consumer data to analyze their demands and drive personal offerings,” Jerrold Wang of Lux Research wrote. Google “has the potential to shape the sales of different consumer packaged goods with highly customized product recommendations using data obtained through its different collection modes, like its search engine, wearables, and home devices.”
Facebook tracks users in multiple ways. In addition to tracking them when they click on its ads or interact with others on its pages, Facebook can bring in information from WhatsApp and Instagram, both of which it owns. The social media giant also has partnerships with many marketing firms and ad networks, so activities on other sites can be combined with users’ Facebook profiles. The Facebook pixel, which lets websites and online retailers get information about their visitors, also track users.
On mobile devices, Facebook’s mobile apps log the WiFi networks users connect to, the type of phone they have, the other apps they have installed, and everything they do on Facebook’s platform.
Google and Facebook make money off ads, and, “when you create a conflict between doing what’s right and making money, the money generally wins,” Rob Enderle, principal at business advisory group The Enderle Group, told bluehillco.
Cybersecurity Is a Group Effort
Google’s parent company Alphabet, IBM, Amazon, Microsoft, Oracle and Salesforce pledged in 2018 to support a common set of standards to improve health data sharing across providers.
This set of standards, known as Fast Healthcare Interoperability Resources (FHIR), defines how healthcare information can be exchanged between different computer systems regardless of how it’s stored.
“Often compliance doesn’t equal cybersecurity,” Ilia Sotnikov, VP of Product Management at Netwrix, told bluehillco. Organizations often treat compliance requirements as a list of check boxes to fill in.
“This helps with passing compliance audits but doesn’t help with cyber risk,” Sotnikov noted.
“Securing data in the cloud is a shared responsibility between the healthcare facility and the cloud provider,” Sotnikov said. “The cloud provider will be responsible for physical security and patching, but it won’t help you against social engineering attacks or insider attacks.”
To strengthen data security, Sotnikov recommends healthcare organizations invest in additional layers of security, such as:
- Control of data access
- Monitoring user activity to more rapidly detect anomalies such as bulk file copying or accessing data without authorization
- Adopting employee screening
“The cloud helps to cut costs on hardware and maintenance, but there’s still a need for a skilled cybersecurity professional to make strategic decisions, a team to implement internal controls, and software and policies to make this work,” Sotnikov said.
AllegisCyber founder and managing director Robert Ackerman says that the security of private cloud providers is not up to snuff and suggests encryption.
“Encryption helps against unauthorized access of the cloud provider’s employees, but it’s not a silver bullet,” Netwrix’s Sotnikov noted. “If the encryption key is easily available for all employees or if access to the application that runs on top of this data is not properly governed, all encryption efforts are in vain.”
The insider risk is “extremely high” in healthcare because many ERH systems provide access to patient data to many employees to ensure patients can get the right treatment in timely fashion, Sotnikov said. “When data is overexposed, security risks also grow.”
Techjury, which consists of a group of software experts, calls the insider threat one of the most underestimated areas of cybersecurity.
In March, the U.S. Department of Health and Human Services finalized rules it said would provide patients more control over their health data. However, this may not quite work out the way it was intended.
“The Information Blocking Rule gives patients more control over access to, and the sharing of, their information, but not more control over the data as it resides with the healthcare organization,” CynergisTek’s Arvin said.
Sustained Vigilance Required
There’s a wide variance among healthcare entities when it comes to HIPAA compliance, Arvin noted. The human factor also comes into play. “It takes just one human to click on the wrong link.”
Further, hackers are constantly developing increasingly sophisticated methods for getting to data, “so it’s a daily struggle for organizations to get ahead of bad actors,” Arvin remarked. At best they can stay even.
The attitude of high-tech companies toward privacy issues doesn’t help. For example, in the lawsuit against Google for tracking consumers on apps without their consent, the company on Oct. 1 argued in court that users have agreed to share their data and haven’t been harmed, Law360 reports.
“Tech companies have experience and technology to work with big data, but we need legislation, media and public oversight to monitor how this data is used,” Sotnikov pointed out.