Imagine if you could search someone’s name on Google, and their full span of medical data and complete medical history was available. An employer could do it, a potential date could do it, an estranged family member could do it – how scary would that be?
There’s debate about how much the average piece of medical data is worth, but trust us, it adds up. The many facets of the healthcare industry – hospitals, pharmacies, insurers, clinics, outpatient facilities, any type of doctor’s office, and every vendor that supports them – combined with healthcare’s under-developed information security and cybersecurity strategies, makes it the perfect industry for malicious attackers to target. But why would someone even want to steal or compromise medical data? What is it worth to them? How can penetration testing help?
It could be personal.
In 2018, a Canadian pharmacist was caught using electronic health records to snoop on 46 people she knew. It had been her routine for years. This included spying on family members, coworkers, former classmates, someone she’d been in a car wreck with, her child’s therapist, her child’s girlfriend, and her own medical professionals. Even after she was fired, the pharmacist still found unauthorized access to the electronic health records and continued to take advantage of it. Sounds random, harmless, but personal, right?
Medical data could also be used for personal, yet malicious, reasons. Sensitive information like plastic surgery history, any medical condition with a social stigma, or behavioral health challenges could be used as blackmail.
It could be financially-motivated.
Family history, Social Security Number, date of birth – elements of medical data rarely change, making it have more lasting value than most other types of personal data. This is why medical data is a major component of identity theft. There’s enough information gleaned from medical data to completely steal an identity and commit medication fraud, financial fraud, insurance fraud, or worse. Identity theft succeeds through medical data because the data is so private and difficult to alter, for both the living and the deceased. Selling medical data for the purpose of identity theft could be an entire career for some hackers.
Hackers don’t sell medical data only on the black market, though. Research and marketing companies want information about their consumers, right? What about competitors? Would they pay a hacker to steal a medical organization’s expensive research, clinical trial results, or prototypes? How much would a news outlet pay for a professional athlete’s medical data? Or a tabloid for a celebrity’s pregnancy update or plastic surgery history?
It could be an accident.
Employees or business partners to the healthcare industry could compromise medical data unintentionally. It’s unfortunate, but true. The HHS gives example after example of cases where this has occurred. For example, a municipal social service agency disclosed medical data while processing Medicaid applications by sending data to vendors that were not business associates. In another case, due to a flaw in a computer system, a national health maintenance organization sent explanation of benefits by mail to a complainant’s unauthorized family member.
Some employees may think they’re complying with HIPAA or not doing anything wrong, but still inadvertently compromise medical data. An outpatient surgical facility believed that under the Privacy Rule, it could disclose PHI to a research entity for recruitment purposes. But when the facility didn’t get the patient’s authorization or any other type of waiver of authorization, it found itself violating HIPAA’s permissible uses and disclosure rules.
Penetration Testing to Protect Medical Data
Patient engagement, innovative tools, quality of care, and managing the cost of healthcare are all priorities among healthcare providers, and new technology can be a way to meet all of those needs. With this new shift, though, comes more data, more processes, and more ways for an attacker to breach a healthcare organization.
Regular, thorough penetration testing could be an appropriate security solution for many healthcare organizations. With the amount of security updates, segmentation, logging, and monitoring that has to be done across healthcare organizations’ networks and systems, penetration testing could provide that extra set of eyes to observe any vulnerabilities that could put patients at risk. When penetration testing is performed to support healthcare organizations, the goal is to identify issues that could result in unauthorized access to electronic medical data. Internal or external network penetration testing, web application penetration testing, API testing, mobile app penetration testing, code review, social engineering – there are many options that could be useful to a healthcare organization’s security efforts.
If you’re thinking, “We’re already HIPAA compliant,” what extra efforts are you putting in to ensure medical data is protected? If you have an internal audit team or internal penetration testers, don’t you want outside professionals to come in and validate your security? The severity and complexity of the threats facing healthcare organizations are only increasing. Healthcare organizations need to go above and beyond required testing and compliance to actually secure medical data and protect patients. Could penetration testing be of value to your organization? Let’s find out.