Don't miss

Medical Cybercrime is the New Credit Card Fraud

By on March 5, 2015

America is Finally Ditching Swipe & Sign

Most people will be familiar with the recent spate of high profile security violations involving the theft of consumer credit card information, such as the highly publicized Target Data Breach in late 2013–when hackers broke into Target’s servers and stole the details of over 100 million card holders. In the second quarter of 2014, Target’s financial reporting revealed the company had incurred a total of 236 million dollars in breach related costs to date.

Similar security violations involving White Lodge, Michaels, Home Depot, and Neiman Marcus have highlighted the serious shortcomings pertaining to the old school magnetic swipe and sign system which is still widely in use in the US today. In contrast, a more secure type of credit card transaction has been jointly developed by Europay, Mastercard, and Visa (EMV).

EMV has been in use in Europe since the early 90’s, and since adopting the technology in 1992, credit card fraud in France has dropped by by 80% and has reduced by 75% in Britain since its introduction in 2004.

Tap Technology

EMV goes under the brand name of Chip N Pin in Great Britain and Ireland, and involves the utilization of  a smart microchip which is embedded into every card. The user inserts their card into a card-reader (as illustrated below) and then types in a PIN number–this process generates a unique encoding for the credit card number and other pertinent information for each individual transaction, which is then transmitted to the merchant.  This means that even if thieves do manage to steal any data, it will be as much use to them as an expired password.

If EMV technology offers greater security than the magnetic swipe card, then why has the US been so reluctant to adopt it? For the most part this is down to the unwillingness of merchants to invest in the costly equipment required to process EMV card transactions. Notwithstanding, since the 2013 Target breach–both Visa and Mastercard have stated that all merchants in the US will be required to install EMV compliant equipment by October 2015. Those merchants failing to comply with this mandate will be held liable for any credit card fraud after this date.

 

Technology in Healthcare is set to Explode

Meanwhile, as the US prepares to catch up with the rest of the world in providing safer credit card transactions for all of its citizens–a new wave of so called Disruptive Technology is starting to infiltrate into the field of Healthcare.  Although this has been slow in comparison to other industries, such as Renewable Energy and Manufacturing–the Healthcare industry is just now starting to reap the first fruits of its initial investment.

Healthcare Physicians

In 2014 we witnessed some truly ground-breaking changes in certain Healthcare practices; such as Online Physical Therapy and TeleHealth Consulting.  These and other profound changes are set to revolutionize the entire industry–as the entire Healthcare industry transitions into a highly efficient and cost effective business; delivering a higher quality of service and care to patients at a reduced cost.

A key element to the success of these changes will ultimately be a radical change in how patient information is stored, processed and utilized. Healthcare Administration departments throughout the industry are quickly realizing the enormous benefits to be gained from leveraging cutting edge technology, in the form of Electronic Medical Records (EMR) and Electronic Health Records (EHR).

 

Electronic Medical Data Provides Multiple Benefits

EMR’s store medical and clinical data which is only shared by one individual provider, EHR’s on the other hand go beyond the scope of EMR’s–by utilizing powerful database technology they are capable of storing and sharing all types of heterogeneous data, including X-rays and MRI scans. This allows a complete up to date patient profile to be stored and viewed in many different ways across all of the parties involved in the patient’s care plan (including the patient being treated).

 

Link to Youtube Video on Benefits of Patient Portals

The enormous benefits to be gained from digitizing patient data are undisputable; by facilitating better communication between the parties involved in the patient’s care plan, a more accurate diagnosis is possible.

A US National Survey of Doctors revealed the following statistics:

  1. 94% of providers report that EHR technology makes records readily available at the point of care.
  2. 88% report that EHR produces clinical benefits for the practice.
  3. 75% report that EHR provides enhanced patient care. 

EHR’s also have the ability to perform sophisticated computations on the stored data–for example whenever a new medication is prescribed, an EHR system will check for potential drug conflicts and automatically trigger an alert if necessary.

In a study carried out  in 2013 by the Kaiser Permante for Health Research; which involved more than 7000 children from Hawaii and Oregon–it was found that Health Portals offering  patient access to EHR’s helped parents to better manage their children’s health, especially when it came to preventative care.  According to the study which was published in the Journal of Pediatrics; parents with access to their children’s Healthcare information were 2.5 times more likely to  bring their infants in for regular check ups, as well as keeping up to date with their vaccinations.

 

The Benefits of EHR’s are Offset By Additional Security Risks

The use of Healthcare Portals  for accessing shared patient information is increasing expeditiously; this is not surprising since they encourage patients to take an active role in managing their own health care–by providing access to relevant up to date information on demand. Notwithstanding, because these portals are accessed from multiple points they unwittingly introduce additional security risks by rendering patient data more vulnerable to cyber attacks.

The astronomical costs of today’s health insurance is driving many to seek  free medical care via stolen data they purchase from cyber-thieves. EHR’s contain a vast amount of Personally Identifiable Information (PII), including dates of birth and social security numbers, as well as sensitive medical data which can violate a patient’s right to privacy. If on-line payment for medical bills has been enabled, it also provides the potential for gaining access to the victim’s financial details.

In Feb 2015 the servers of Anthem ( the 2nd largest “Health Insurance” provider in the US) were compromised by hackers, which resulted in the theft of tens of millions of customer records. Medical identity theft is much harder to detect than its credit card counterpart, it therefore offers a larger window of opportunity to fraudsters. For example, a stolen credit card  is only useful from the time of theft to the point where the card-holder cancels the card and receives a new number–whereas the lifespan of stolen medical information is much longer, since the data never changes even if it has been compromised.

Because medical data provides a much broader utility for cyber-criminals, it carries a  higher  value than credit card data. The average street value for a stolen credit card number is just $1 USD; whereas the World Privacy Forum (WPF) has reported the market value for a medical record is around $50–however when a Fullz (full profile) is offered for sale, the price  can dramatically increase up to an additional $500.

 

Link to Youtube Video News Clip of the Anthem Cyber Attack


The dangers of online health records…

Healthcare Providers are unprepared for the rising risks since financial institutes and retailers have been the traditional targets of cyber crime, they have garnered considerable knowledge and experience in mitigating the risk posed by cyber threats–Healthcare providers on the other hand have very little experience when it comes to cyber-crime. In order to reduce this current threat, Healthcare providers must be willing to invest heavily in system security–whilst leveraging the knowledge gained from retailers and financial services. For example, they need to understand that a secure password is not secure at all if it is entered from a computer that has been infected with malware which records every keystroke the user types and then transmits this information to cyber thieves.

The once popular stereotype of a lone techno nerd breaking into an organization’s computer system purely for fun has truly given way to something far more sinister and terrifying. Today’s hackers comprise of highly organized groups of people who are both ruthless and extremely competent–by leveraging sophisticated technology coupled with superior collaboration and coordination strategies, they have been immensely successful in subverting the security measures implemented by numerous organizations.

Healthcare providers face many challenges when it comes to protecting patient information;  the following is by no means an exhaustive list, but covers many of  the crucial points Healthcare providers need to consider when designing and implementing the security component of their on-line systems.

  1. Impose User Integrity: Healthcare Providers must provide adequate checks to ensure that the users who are attempting to enroll/logon are who they say they are, before granting access to any applications/data held on the system. In particular this means securing access to their on-line portals.

Note: For our purposes, the term user refers to any authorized user of the system; this includes patients medical professionals health insurers and anyone else involved in the patient’s care plan.

  • Monitor Suspicious Activity: The system must be capable of analyzing each activity for unusual patterns of behaviour, and generate alerts when any strange or unusual activity is encountered.
  • Educate Users: Users (as defined above) must be educated on the dangers of phishing and malware; the degree of training required will be dependent upon the level of access each user has been granted.
  • Continually Test For Weaknesses in the System: This will require a dedicated team of specialists who will constantly perform various pseudo cyber attacks on a mirror image of the system, in order to flush out any potential system vulnerabilities. A number of software vendors  have produced specialized software to assist Healthcare providers in carrying out this kind of Risk Assessment; certain institutions such as HealthIT.gov in the US provide this type of software free of charge.

 

Conclusion

As the implementation of EMV technology evolves into a global phenomenon, cyber criminals are fully aware that  the life-cycle of credit card theft is hurtling towards a rapid demise. However, with an established and proven infrastructure already in place, these criminals are now focusing their efforts on targeting alternative markets–such as the Healthcare industry, which offers cyber-thieves the potential of gaining far more lucrative profits.

Healthcare providers face higher risks than retail and financial services, due to the nature of the data which resides on their servers, and the existence of multiple access points. Cyber-criminals are ready and able to fully exploit these vulnerabilities, since the Healthcare industry is a technological fledgling, and therefore no match for the hackers who are the seasoned experts in both technical knowledge, and experience.

Extreme security measures are key in providing secure cutting edge systems, which not only provide fast and easy access to relevant information for those who are authorized to do so–but also implement adequate security and instil confidence in the end user. Unfortunately, with the increased number of breaches in Healthcare data we are clearly a long way from achieving this objective.

The new US Government website Healthcare.gov, which was designed to meet the demands of the Affordable Care Act (frequently referred to as Obamacare), is a prime example of how inferior software systems are being pushed through with no consideration given to securing patient data–shortly after its launch in Oct 2013, the servers of Healthcare.gov were compromised at least 16 times. Clearly the attempt by governments to enforce security measures through legislation, like the  Health Insurance Portability Act (HIPPA) in the US, are failing spectacularly.

The challenge presented to Healthcare providers, is in creating a system that offers a high degree of usability, while at the same time imposing an acceptable level of security.  Achieving the right balance is not an easy task to accomplish for any type of computer system–if you make the interface too complex you will alienate your users, on the other hand if the security component is flawed the consequences can be catastrophic. The concept of  the human cognitive is so far-reaching, it has developed into an important branch of Computer Science known as Human Computer Interaction.

Getting the right balance between usability and adequate security is crucial for the Healthcare industry–if they succeed, it will create a more efficient and cost effective Healthcare industry; one capable of providing enhanced services at a reduced cost, with the potential of saving many more lives.  However if they fail to leverage the knowledge gained from the past mistakes of other industries and refuse to treat security as one of their top priorities, it could  have serious consequences; potentially damaging entire economies and destroying the lives of millions.

 



References

  1. Huelsman, Bruce, “How will EMV card technology affect credit card fraud?” Intrust Bank 1-15-2015 Web 02-27-2015 https://www.intrustknowsbusiness.com/question/how-will-emv-card-technology-affect-credit-card-fraud
  2.  Ohno-Machado, Lucila: “Electronic Health Record Systems: risks and benefits” Journal of the American Medical Informatics Association  02-01-2014 Web 02-03-2015 http://jamia.oxfordjournals.org/content/21/e1/e1
  3. Poulsen, Kevin: “Why the Heyday of Credit Card Fraud is Almost Over” WIRED 09-25-2014 Web 03-01-2015 http://www.wired.com/2014/09/emv/
  4. Herron, Janna: “US Warms up to EMV Credit Cards” Bankrate.com Web 03-02-2015 http://www.bankrate.com/finance/credit-cards/emv-credit-cards-1.aspx
  5. Allard-Levingston, Suzanne: Medical Records Make-or-Break Year” Bloomberg Business 11-14-2013  Web 03-01-2014 http://www.bloomberg.com/bw/articles/2013-11-14/2014-outlook-electronic-health-records-make-or-break-year
  6. Herrick, Devon M. (et al): “Health Information Technology: Benefits and Problems” National Center for Policy Analysis  Web 03-02-2015  http://www.ncpa.org/pdfs/st327.pdf
  7. Ollove, Michael: “The Rise of Medical Identity Theft in Healthcare” Kaiser Health News 02/07/2014 Web 03-02-2015  http://kaiserhealthnews.org/news/rise-of-indentity-theft/
  8. Ungerleider, Neal: “Medical Cybercrime the Next Frontier” Fastcompany.com 08/15/2012 Web 03-01-2015 http://www.fastcompany.com/3000470/medical-cybercrime-next-frontier
  9. Neal,, Meghan: “Medical Records are a Goldmine for Cybercrime” Motherboard 02/19/2014 Web 02-26-2014 http://motherboard.vice.com/blog/medical-records-are-a-goldmine-for-cybercrime
  10. Schlesinger Jennifer (et al): “Cyber-criminal’s new target? Your Medical Records” CNBC, 03-31-2014 Web 03/02/2014  http://www.cnbc.com/id/101535352

 

 

Dave Ward

About Dave Ward

Dave Ward majored in “Business and Computing” and “Computer Science” at the “University of Wolverhampton” in his native country the UK. Before graduating in 1992 he lived for a short time in Frankfurt, Germany, and Garmisch PartenKirchen afterwhich he returned to the UK. In 1995 he moved to the States where he currently resides in the Chicago area as a freelance “Systems Analyst /Software Developer”.

In addition to his work life Dave enjoys a passion for the art of writing, having taken several classes in the subject including his latest at Duke University NC. Hitherto he has produced a plethora of writings, from various genres including technology, poetry, fiction and cultural affairs. His longtime interest in the health and fitness industry and its concerns has also spawned several articles dedicated to this subject.

Currently he has several side projects in the pipeline; these include his latest poem, a book on morality, a stage adaptation of John Bunyan’s book “A Pilgrim’s Progress”, and a vegetarian cookbook. You can reach Dave at the following email address britguyinus@gmail.com.

  • Harry_E_Smith

    Hello Dave,

    This is a very interesting article and I would encourage anyone who has an interest in healthcare and/or cybersecurity to read it and to watch the videos. Based on my own experience with the enforcement of the HIPAA security and privacy provisions, I would have to agree with you that government agencies have fallen far short of the mark. I would also agree (again based on personal experience) that medical practitioners are a little behind the times when it comes to properly implementing technology. But, just as as the Payment Card Industry Security Standards Council lit a fire under merchants who accept credit cards, I would expect to see the Joint Commission “encouraging” hospitals to get their acts together fairly soon.

    This may be a little off point, but I also have quite a bit of experience using patient portals such as those provided by Epic Systems Corporation. I believe that the improvements to patient care afforded by this technology far outweighs any risks associated with security breaches. It would indeed be a shame if fear of compromise discouraged patients or health care providers from using them. Thanks for a great article!

    Bye for now — Harry

    • Dave

      Hi Harry
      Many thanks for your thoughts concerning this topic. Its always nice to get feedback from people who are actually in the industry and experiencing the revolution first hand. I am happy to learn that you think the benefits outweigh the risks, there is some really cool and exciting stuff happening in Healthcare technology right now.

      But this security issue is a moving target; and I foresee a whole new generation of software developers making a career out of building secure components for these new systems which are now emerging. Thanks once again for your input, it is greatly appreciated– and I hope you continue to enjoy the changes that this new technology is bringing to your daily work life.

Your Information will never be shared with any third party.