- Razer Phone 2 – With great power comes great responsibility!Posted 3 months ago
- Gear Diary Spring 2019Posted 3 months ago
- Cuts Clothing – A Cut above the Rest!Posted 3 months ago
- N-Range – Boost Your Cell Signal!Posted 3 months ago
- Heshi Designer SocksPosted 6 months ago
- FLXCUF – Roll them sleeves right!Posted 6 months ago
- Gantri – Designer 3D Printed LightsPosted 6 months ago
- Gaze Lab Wireless Charging AccessoriesPosted 7 months ago
- Earin m2 earphonesPosted 7 months ago
- Som SleepPosted 7 months ago
- Origaudio Wrapsody Bluetooth EarphonesPosted 7 months ago
- Tmbr SunglassesPosted 9 months ago
- Google Pixel 3 and 3XL – Three times the charm!Posted 9 months ago
- Moshi – Premium Accessories and PeripheralsPosted 9 months ago
- Tap – Wearable Keyboard and MousePosted 9 months ago
- Botta-Design TRES 24 Titan WatchPosted 10 months ago
- Fall Gear Guide 2018Posted 10 months ago
- Arc’teryx Fall 2018Posted 10 months ago
- Ionbox 20m – Negative Ion GeneratorPosted 12 months ago
- Must Have Summer Essentials 2018Posted 12 months ago
Medical Cybercrime is the New Credit Card Fraud
America is Finally Ditching Swipe & Sign
Most people will be familiar with the recent spate of high profile security violations involving the theft of consumer credit card information, such as the highly publicized Target Data Breach in late 2013–when hackers broke into Target’s servers and stole the details of over 100 million card holders. In the second quarter of 2014, Target’s financial reporting revealed the company had incurred a total of 236 million dollars in breach related costs to date.
Similar security violations involving White Lodge, Michaels, Home Depot, and Neiman Marcus have highlighted the serious shortcomings pertaining to the old school magnetic swipe and sign system which is still widely in use in the US today. In contrast, a more secure type of credit card transaction has been jointly developed by Europay, Mastercard, and Visa (EMV).
EMV has been in use in Europe since the early 90’s, and since adopting the technology in 1992, credit card fraud in France has dropped by by 80% and has reduced by 75% in Britain since its introduction in 2004.
EMV goes under the brand name of Chip N Pin in Great Britain and Ireland, and involves the utilization of a smart microchip which is embedded into every card. The user inserts their card into a card-reader (as illustrated below) and then types in a PIN number–this process generates a unique encoding for the credit card number and other pertinent information for each individual transaction, which is then transmitted to the merchant. This means that even if thieves do manage to steal any data, it will be as much use to them as an expired password.
If EMV technology offers greater security than the magnetic swipe card, then why has the US been so reluctant to adopt it? For the most part this is down to the unwillingness of merchants to invest in the costly equipment required to process EMV card transactions. Notwithstanding, since the 2013 Target breach–both Visa and Mastercard have stated that all merchants in the US will be required to install EMV compliant equipment by October 2015. Those merchants failing to comply with this mandate will be held liable for any credit card fraud after this date.
Technology in Healthcare is set to Explode
Meanwhile, as the US prepares to catch up with the rest of the world in providing safer credit card transactions for all of its citizens–a new wave of so called Disruptive Technology is starting to infiltrate into the field of Healthcare. Although this has been slow in comparison to other industries, such as Renewable Energy and Manufacturing–the Healthcare industry is just now starting to reap the first fruits of its initial investment.
In 2014 we witnessed some truly ground-breaking changes in certain Healthcare practices; such as Online Physical Therapy and TeleHealth Consulting. These and other profound changes are set to revolutionize the entire industry–as the entire Healthcare industry transitions into a highly efficient and cost effective business; delivering a higher quality of service and care to patients at a reduced cost.
A key element to the success of these changes will ultimately be a radical change in how patient information is stored, processed and utilized. Healthcare Administration departments throughout the industry are quickly realizing the enormous benefits to be gained from leveraging cutting edge technology, in the form of Electronic Medical Records (EMR) and Electronic Health Records (EHR).
Electronic Medical Data Provides Multiple Benefits
EMR’s store medical and clinical data which is only shared by one individual provider, EHR’s on the other hand go beyond the scope of EMR’s–by utilizing powerful database technology they are capable of storing and sharing all types of heterogeneous data, including X-rays and MRI scans. This allows a complete up to date patient profile to be stored and viewed in many different ways across all of the parties involved in the patient’s care plan (including the patient being treated).
Link to Youtube Video on Benefits of Patient Portals
The enormous benefits to be gained from digitizing patient data are undisputable; by facilitating better communication between the parties involved in the patient’s care plan, a more accurate diagnosis is possible.
A US National Survey of Doctors revealed the following statistics:
- 94% of providers report that EHR technology makes records readily available at the point of care.
- 88% report that EHR produces clinical benefits for the practice.
- 75% report that EHR provides enhanced patient care.
EHR’s also have the ability to perform sophisticated computations on the stored data–for example whenever a new medication is prescribed, an EHR system will check for potential drug conflicts and automatically trigger an alert if necessary.
In a study carried out in 2013 by the Kaiser Permante for Health Research; which involved more than 7000 children from Hawaii and Oregon–it was found that Health Portals offering patient access to EHR’s helped parents to better manage their children’s health, especially when it came to preventative care. According to the study which was published in the Journal of Pediatrics; parents with access to their children’s Healthcare information were 2.5 times more likely to bring their infants in for regular check ups, as well as keeping up to date with their vaccinations.
The Benefits of EHR’s are Offset By Additional Security Risks
The use of Healthcare Portals for accessing shared patient information is increasing expeditiously; this is not surprising since they encourage patients to take an active role in managing their own health care–by providing access to relevant up to date information on demand. Notwithstanding, because these portals are accessed from multiple points they unwittingly introduce additional security risks by rendering patient data more vulnerable to cyber attacks.
The astronomical costs of today’s health insurance is driving many to seek free medical care via stolen data they purchase from cyber-thieves. EHR’s contain a vast amount of Personally Identifiable Information (PII), including dates of birth and social security numbers, as well as sensitive medical data which can violate a patient’s right to privacy. If on-line payment for medical bills has been enabled, it also provides the potential for gaining access to the victim’s financial details.
In Feb 2015 the servers of Anthem ( the 2nd largest “Health Insurance” provider in the US) were compromised by hackers, which resulted in the theft of tens of millions of customer records. Medical identity theft is much harder to detect than its credit card counterpart, it therefore offers a larger window of opportunity to fraudsters. For example, a stolen credit card is only useful from the time of theft to the point where the card-holder cancels the card and receives a new number–whereas the lifespan of stolen medical information is much longer, since the data never changes even if it has been compromised.
Because medical data provides a much broader utility for cyber-criminals, it carries a higher value than credit card data. The average street value for a stolen credit card number is just $1 USD; whereas the World Privacy Forum (WPF) has reported the market value for a medical record is around $50–however when a Fullz (full profile) is offered for sale, the price can dramatically increase up to an additional $500.
Link to Youtube Video News Clip of the Anthem Cyber Attack
Healthcare Providers are unprepared for the rising risks since financial institutes and retailers have been the traditional targets of cyber crime, they have garnered considerable knowledge and experience in mitigating the risk posed by cyber threats–Healthcare providers on the other hand have very little experience when it comes to cyber-crime. In order to reduce this current threat, Healthcare providers must be willing to invest heavily in system security–whilst leveraging the knowledge gained from retailers and financial services. For example, they need to understand that a secure password is not secure at all if it is entered from a computer that has been infected with malware which records every keystroke the user types and then transmits this information to cyber thieves.
The once popular stereotype of a lone techno nerd breaking into an organization’s computer system purely for fun has truly given way to something far more sinister and terrifying. Today’s hackers comprise of highly organized groups of people who are both ruthless and extremely competent–by leveraging sophisticated technology coupled with superior collaboration and coordination strategies, they have been immensely successful in subverting the security measures implemented by numerous organizations.
Healthcare providers face many challenges when it comes to protecting patient information; the following is by no means an exhaustive list, but covers many of the crucial points Healthcare providers need to consider when designing and implementing the security component of their on-line systems.
- Impose User Integrity: Healthcare Providers must provide adequate checks to ensure that the users who are attempting to enroll/logon are who they say they are, before granting access to any applications/data held on the system. In particular this means securing access to their on-line portals.
Note: For our purposes, the term user refers to any authorized user of the system; this includes patients medical professionals health insurers and anyone else involved in the patient’s care plan.
- Monitor Suspicious Activity: The system must be capable of analyzing each activity for unusual patterns of behaviour, and generate alerts when any strange or unusual activity is encountered.
- Educate Users: Users (as defined above) must be educated on the dangers of phishing and malware; the degree of training required will be dependent upon the level of access each user has been granted.
- Continually Test For Weaknesses in the System: This will require a dedicated team of specialists who will constantly perform various pseudo cyber attacks on a mirror image of the system, in order to flush out any potential system vulnerabilities. A number of software vendors have produced specialized software to assist Healthcare providers in carrying out this kind of Risk Assessment; certain institutions such as HealthIT.gov in the US provide this type of software free of charge.
As the implementation of EMV technology evolves into a global phenomenon, cyber criminals are fully aware that the life-cycle of credit card theft is hurtling towards a rapid demise. However, with an established and proven infrastructure already in place, these criminals are now focusing their efforts on targeting alternative markets–such as the Healthcare industry, which offers cyber-thieves the potential of gaining far more lucrative profits.
Healthcare providers face higher risks than retail and financial services, due to the nature of the data which resides on their servers, and the existence of multiple access points. Cyber-criminals are ready and able to fully exploit these vulnerabilities, since the Healthcare industry is a technological fledgling, and therefore no match for the hackers who are the seasoned experts in both technical knowledge, and experience.
Extreme security measures are key in providing secure cutting edge systems, which not only provide fast and easy access to relevant information for those who are authorized to do so–but also implement adequate security and instil confidence in the end user. Unfortunately, with the increased number of breaches in Healthcare data we are clearly a long way from achieving this objective.
The new US Government website Healthcare.gov, which was designed to meet the demands of the Affordable Care Act (frequently referred to as Obamacare), is a prime example of how inferior software systems are being pushed through with no consideration given to securing patient data–shortly after its launch in Oct 2013, the servers of Healthcare.gov were compromised at least 16 times. Clearly the attempt by governments to enforce security measures through legislation, like the Health Insurance Portability Act (HIPPA) in the US, are failing spectacularly.
The challenge presented to Healthcare providers, is in creating a system that offers a high degree of usability, while at the same time imposing an acceptable level of security. Achieving the right balance is not an easy task to accomplish for any type of computer system–if you make the interface too complex you will alienate your users, on the other hand if the security component is flawed the consequences can be catastrophic. The concept of the human cognitive is so far-reaching, it has developed into an important branch of Computer Science known as Human Computer Interaction.
Getting the right balance between usability and adequate security is crucial for the Healthcare industry–if they succeed, it will create a more efficient and cost effective Healthcare industry; one capable of providing enhanced services at a reduced cost, with the potential of saving many more lives. However if they fail to leverage the knowledge gained from the past mistakes of other industries and refuse to treat security as one of their top priorities, it could have serious consequences; potentially damaging entire economies and destroying the lives of millions.
- Huelsman, Bruce, “How will EMV card technology affect credit card fraud?” Intrust Bank 1-15-2015 Web 02-27-2015 https://www.intrustknowsbusiness.com/question/how-will-emv-card-technology-affect-credit-card-fraud
- Ohno-Machado, Lucila: “Electronic Health Record Systems: risks and benefits” Journal of the American Medical Informatics Association 02-01-2014 Web 02-03-2015 http://jamia.oxfordjournals.org/content/21/e1/e1
- Poulsen, Kevin: “Why the Heyday of Credit Card Fraud is Almost Over” WIRED 09-25-2014 Web 03-01-2015 http://www.wired.com/2014/09/emv/
- Herron, Janna: “US Warms up to EMV Credit Cards” Bankrate.com Web 03-02-2015 http://www.bankrate.com/finance/credit-cards/emv-credit-cards-1.aspx
- Allard-Levingston, Suzanne: Medical Records Make-or-Break Year” Bloomberg Business 11-14-2013 Web 03-01-2014 http://www.bloomberg.com/bw/articles/2013-11-14/2014-outlook-electronic-health-records-make-or-break-year
- Herrick, Devon M. (et al): “Health Information Technology: Benefits and Problems” National Center for Policy Analysis Web 03-02-2015 http://www.ncpa.org/pdfs/st327.pdf
- Ollove, Michael: “The Rise of Medical Identity Theft in Healthcare” Kaiser Health News 02/07/2014 Web 03-02-2015 http://kaiserhealthnews.org/news/rise-of-indentity-theft/
- Ungerleider, Neal: “Medical Cybercrime the Next Frontier” Fastcompany.com 08/15/2012 Web 03-01-2015 http://www.fastcompany.com/3000470/medical-cybercrime-next-frontier
- Neal,, Meghan: “Medical Records are a Goldmine for Cybercrime” Motherboard 02/19/2014 Web 02-26-2014 http://motherboard.vice.com/blog/medical-records-are-a-goldmine-for-cybercrime
- Schlesinger Jennifer (et al): “Cyber-criminal’s new target? Your Medical Records” CNBC, 03-31-2014 Web 03/02/2014 http://www.cnbc.com/id/101535352