Retail stores are one thing, but today’s sophisticated hackers go after medical records, which can sell for ten to twenty times as much as your typical credit card number. Recent attacks on Anthem and Premera Blue Cross suggest that companies holding medical records will be on the frontline in the cyberwars sooner rather than later, regardless of their size, and whether they are ready or not. The cyberattack on the UCLA Health System that was recently disclosed, and which may have affected up to 4.5 million patients, drives this point home.
Numerous accounts suggest that, despite the risk to themselves and their customers, many – if not most – health-related companies are unprepared to face the threat. But, as many experts have said, it’s not a question of if a company will experience a cyber-incident, but when. The value of medical records to cyber criminals increases the odds that those who hold those records will be attacked in the short-term.
For cyber criminals, the information in medical records, including Social Security numbers, dates of birth, home addresses, medical insurance numbers, and treatment information, is a gold mine. There are dozens of illicit uses for this information, from fraudulent applications for credit, to the identification of competitively-sensitive business information, to the filing of false tax returns, to the acquisition of prescription drugs and medical equipment, to the filing of fraudulent insurance claims. The information in medical records is also less perishable than stolen credit card information, since misuses can take longer to detect and won’t be stopped by changing a card number. Just imagine the uses to which a criminal can put a child’s social security number, for example. People generally do not run a child’s credit report because kids are usually not trying to qualify for loans or credit cards until they are 18. Use your own experience as a barometer – when is the last time you ran your child’s credit report? Bottom line: Cyber criminals will keep trying to steal this information until defenders make it too difficult for them.
For now, health-related companies generally lag behind financial institutions and other traditional victims of cyber-attack in protecting their systems, mainly because they have not seen themselves as targets until very recently. As a result, cyber criminals have found it comparatively easy to obtain medical records.
We know the kind of an impact that identity theft can have on individual victims. But what about a data breach for a health-related company? Well, the word “catastrophic” comes to mind. Damage to a company’s business reputation and the potential loss of critical intellectual property could be just the start. A company subject to a data breach would also be exposed to potential money penalties and civil liability.
Federal and state authorities have made it abundantly clear that the security of healthcare records is among their top priorities. The Health Insurance Portability and Accountability Act (“HIPAA”) establishes penalties of up to $1.5 million per violation for improper disclosure of medical information, and the Department of Health and Human Services (HHS) Office of Civil Rights has recently extracted large settlements from health-care companies for failing to take reasonable steps to preserve data security. The Federal Trade Commission (FTC) has also weighed in, under different authorities, as an enforcer of healthcare data security. And state Attorneys General have also entered the regulatory arena.
As significant as federal and state penalties may be, the more significant exposure for companies may come from civil lawsuits. HIPAA sets out what courts treat as “best practices” for protecting medical records, so a breached health-related company will inevitably face lawsuits alleging failure to meet the standard of care. In less than a month after its breach was disclosed, Anthem was hit with more than 50 class-action lawsuits. Inside a week of disclosing its data breach, Premera Blue Cross was hit with five class-actions lawsuits. With millions of records breached, estimates of the cost of repairing the harm of medical identity theft in the tens of thousands, and the fact that criminals can wait to use the information they’ve stolen, companies’ potential exposure from a breach is both massive and long-term. No health-related company can afford to ignore the risk that medical records it holds could be stolen.
What will happen in the case of entities like the UCLA Health System, which already settled once with federal regulators for HIPAA violations and which was reportedly in the process of hardening its systems, is anyone’s guess. Despite its earlier incident with improperly disclosed electronic records, the UCLA Health System had not encrypted its data. And the newly-reported hack apparently occurred because an administrator’s credentials were compromised. Neither fact will be helpful to UCLA going forward.
So, what to do? Health-related companies, regardless of their size, must recognize that they are prime targets for cyber-criminals, and act to protect the medical data they hold, as well as themselves. The appropriate protective actions will vary by company, but three core principles can be distilled from resources such as the NIST Cybersecurity Framework and the Department of Justice Cybersecurity Unit’s Best Practices for Victim Response and Reporting of Cyber Incidents.
First, regardless of size, health-related companies must treat medical data as their “crown jewels” and protect them accordingly. What the appropriate protection entails will vary based on many factors, but could include upgrading information systems, tightening access controls, and/or encryption of data and communications. Second, given the near-certainty of an intrusion, companies must develop an actionable plan for how to handle an intrusion. As the DOJ has noted, “[a] cyber incident is not the time to be creating emergency procedures or considering for the first time how best to respond.” Third, companies should have the right resources – with emphasis on the right people – lined up in advance. The DOJ’s recommendations for the “right people” include counsel experienced in dealing with data breaches to reduce response times and help mitigate the harm of a breach.
Regardless of what specific measures are appropriate for a particular health-related company to protect its medical data, one thing is certain: ignoring the threat is not a viable strategy. Medical data is a goldmine for cyber-criminals, and its value will encourage cyber-criminals to pursue it wherever and however they can. As larger health-related companies take steps to protect their data and themselves, the focus of cyber-criminals’ efforts may shift to smaller, potentially more vulnerable companies. Prudent health-related companies of all sizes should already be taking steps to avoid being the next headline about a breach of medical data.