What cybercriminals steal when they hack hospitals
When hospitals have access to your electronic medical record, you get better care. Depending on what you’re admitted for, readily available digital health information could be the difference between life and death.
But information made digital is information made hackable. Hackers nab more than just your credit cards, social security number, and other demographic and financial information tied to your identity. Hospital breaches include theft of sensitive health information. It’s modernity’s big tradeoff between data access and data security. It’s also a challenge for the next generation of precision medicine. For instance, a big-data-scale aggregate of detailed, sensitive health information is crucial for developing tomorrow’s treatments and cures.
“Our speculation is that maybe there’s a perfect solution for this tradeoff,” says Xuefeng Jiang. Jiang is the lead author of a study out today in Annals of Internal Medicine. The research looks at exactly what kind of data hackers are going after when they attack hospitals.
The study analyzes 1461 breaches from 1388 facilities (some breached multiple times). The study shows that these breaches affected 169 million patients between October 21, 2009 and July 1, 2019. Jiang and his team divided the type of data stolen into three categories: financial, demographic, and personal.
What hackers are really after
“People think if you have more data visibility, [data] shared widely with researchers or with doctors, you’re going to face more risk of potential breach– be more likely to lose data or get hacked,” says Jiang. He feels this concern doesn’t take into account the hacker mindset. Hackers are largely opportunistic, seeking mostly financial information. “They can’t make money directly on patients’ medical results.”
The study shows that out of the 168 million patients affected. 70% of the breaches impacting approximately 95% of patients were targeting demographic or financial information. Hackers picked up medical information exclusive of demographic or financial information in only 16% of the breaches. This resulted in affecting 6 million patients. Whereas, sensitive medical information was stolen in only 2% of breaches impacting 2.4 million patients.
Jiang thinks cybercriminals are not targeting sensitive medical information in order to pull off elaborate blackmail schemes. Instead, the relatively small percentage of medical-information-only hacks is most likely a byproduct of hackers reaching in and grabbing clumps of whatever data they can get.
The “perfect” solution
If sensitive electronic medical record isn’t the target, Jiang thinks hospitals and research institutions can share important health information more securely if they use separate systems. Use one system to store and share medical information between healthcare providers and researchers. However, use a separate system to store and share demographic and financial information between hospital administration staff.
For anyone concerned about disclosing medical information, Jiang’s personal takeaway from this analysis is emphatic: “Don’t worry about sharing [medical] information with your doctors.”
How hackers get in
“We found more than half of data breaches could be attributed to healthcare providers’ internal mistakes or negligence.” Jiang lists the most common ways hackers infiltrate hospitals:
- Not encrypting laptop computers
- Using ‘cc instead of ‘bcc when emailing patients
- Not revoking former employees’ login credentials after employment is terminated
Researchers found that mobile devices (laptops, USB drives, etc.) are linked to more data breaches. In comparison, hard copy paper records or breaches on network servers are lower. Results suggest that training hospital staff in cybersecurity behaviors will help. Additionally, limiting the use of mobile devices might go a long way to help mitigate data breaches.
For an in-depth discussion about our world built on a cyberinfrastructure, meet the woman who drafted the cybersecurity, infrastructure protection, emergency preparedness, bioterror, and science and technology directives that led to the creation of the Department of Homeland Security (video interview from Jesse’s Office with Kiersten Todt, produced by the author of this article).