Why Is Healthcare Data So Valuable to Cybercriminals?

On the black market, healthcare data is far more valuable than payment card information. What does this tell us about the need to secure patient information?

Criminals still buy and sell credit card information on the dark web, but healthcare data commands a much higher price. The reason is simple: payment card information is relatively easy to change, and thieves have no use for invalid credit card numbers. But healthcare information is very difficult or even impossible to change, which allows thieves to really cash in and creates an incentive to home in on security vulnerabilities at hospitals, clinics, and insurance companies.

Patients’ Most Private Information Is at Risk

Just think about the information you’re asked to provide when making an appointment with a new healthcare provider: your contact information, birth date, social security number, the name of your insurance company, your policy number, and maybe even the name of your employer. In the U.S., the Heath Insurance Portability and Accountability Act (HIPAA) refers to this information collectively as protected health information—and when it’s stored electronically, electronic protected health information (ePHI).

Our health information is so appealing to thieves because the data has a long shelf life and can be used for so many malicious activities. Thieves can make purchases with stolen credit card numbers until the fraud is discovered and the card issuers cancel the affected cards, but healthcare information offers more opportunities for fraud.

Healthcare Organizations and Patients Pay a High Price

Cybercriminals can use ePHI to buy drugs and medical equipment that can be resold. Patient information can be used to commit corporation extortion, similar to the widely publicized ransomware attack on a Hollywood hospital. Medical information even makes it possible for fraudsters to impersonate patients and obtain treatment.

The volume of information included in a single healthcare record also allows criminals to commit identity theft, opening new lines of credit and obtaining fake IDs. This fraud that takes longer to detect than typical credit card fraud and it’s also more difficult for patients to recover from. Correcting inaccurate credit records can take months or even years. And if criminals max out a patient’s insurance policy limits, that person could be left without coverage until the matter is resolved.

These problems all begin with data breaches at healthcare organizations, which also face serious consequences. The average cost of a lost or stolen customer record is $158, but the average cost per record reaches $355 in the healthcare industry, according to the Ponemon Institute’s latest data. These costs include customer notification, business lost as a result of the breach, breach response activities, and government fines.

Healthcare IT Teams See the Security Risks

In a survey of IT staffers at healthcare organizations, respondents reported an average of one cyberattack per month. These IT professionals also demonstrated a generally pessimistic attitude about their organizations’ ability to mitigate security risks, given their current levels of staffing and cybersecurity investment. That mindset seems perfectly logical when you consider the 112 million health records lost, stolen, or exposed in 2015.

Department of Health and Human Services Steps Up HIPAA Enforcement

Cyberattackers’ demand for ePHI shows no signs of slowing. What is increasing is HIPAA enforcement.

Through July of 2016, the Department of Health and Human Services’ Office of Civil Rights (the government agency tasked with HIPAA enforcement) has issued about $15 million in fines. That’s a substantial increase over the roughly $6 million in HIPAA fines issued in 2015.

The government has also begun phase two of its HIPAA audit program, which includes organizations directly covered by HIPAA and some business associates. This round of audits is broader in scope that the first phase of the audit program, which took place in 2011 and 2012 and did not include business associates. Auditors will focus on the HIPAA provisions that were identified as common areas of noncompliance during the first audit phase.

Several security experts believe 2016 is a turning point in HIPAA enforcement. Time will tell whether this trend continues, but healthcare organizations have several compelling reasons to examine their security controls and HIPAA compliance measures. Healthcare data breaches are some of the most expensive breaches per lost or stolen record record. And since thieves have caught on to the value of health records, the healthcare industry has every reason to expect to see more cyberattacks in the future.

Concerned with HIPAA compliance? Our HIPAA guide translates HIPAA's most confusing parts into IT language, and it includes a comprehensive checklist.