March 2016

PHI: Valuable and Vulnerable
By Juliann Schaeffer
For The Record
Vol. 28 No. 3 P. 18

It's this combination of traits that makes health care data such an attractive target.

From the media sirens that blare when a large health care system becomes the target of a cyber attack, it's no secret that health information holds a particular value—both to patients and the thieves who seek to exploit it for their own purposes. But precisely what makes protected health information (PHI) so valuable? An even more pressing question may be what makes health care systems so vulnerable.

According to a 2015 Ponemon Institute study, criminal attacks in health care have increased 125% since 2010. Now PHI is the preferred target of data thieves, and it's clear this threat isn't going away anytime soon.

The Value of PHI
PHI is defined as any information associated with a patient and his or her health status, says Manny Jones, health care vertical sales manager for LockPath. In addition to names and geographical identifiers such as state, city, and address, PHI can also come in other forms, including the following:

• phone or fax numbers;
• Social Security numbers;
• medical records;
• health insurance numbers; and
• biometric identifiers, such as fingerprints and retinal and facial patterns.

Whereas stealing a credit card can provide an immediate payout, it's often short lived. Compare this with swiping PHI, and it's easier to understand why it's more attractive. "PHI theft has a longer shelf life than stolen credit card data, where the payout is immediate and ends as soon as the card or account is canceled," says Kim Green, CHC, CISA, chief security and privacy officer at Zephyr Health.

Because of this depth of detail, Michael Ebert, partner and health care & life sciences lead for cyber for KPMG, says PHI is 10 times more valuable than credit card information alone. Some experts put that number even higher.

According to Carl Wright, executive vice president of TrapX Security, the economic incentive driving the theft of PHI data is compelling. "Cyber security firm Dell SecureWorks reported that successful cyber attackers were receiving as much as $20 to $40 for health insurance credentials alone," he says. "Comparatively, stolen credit card numbers are often valued between $1 to $2 each when sold on the black market."

Green says there are several ways PHI can be turned into illegal profit, including the following:

• extortion (blackmail), in which criminals demand money from individuals or health care organizations to prevent exposing private medical information;

• fraud, in which criminals use a valid health insurance card to obtain health care services or purchase medical equipment or pharmaceuticals that can be resold at a profit;

• identity theft, in which criminals use a valid Social Security number to open lines of credit or create fake IDs; and

• data laundering, in which criminals sell stolen data back to legitimate businesses or repackage insurance claims data.

In effect, when criminals steal PHI, they're seeking to assume that patient's medical identity. "False medical identities can be used to purchase prescription drugs or medical devices and file false medical claims," Jones explains. "Once they've made a few claims and obtained some reimbursements or prescription drugs, cyber thieves turn around and resell the drugs, etc, on the black market, making a profit. Meanwhile, the real patient is stuck with fraudulent claims and bills for medical services they did not receive."

It's not a matter of one piece of health information providing more value than another piece. "The package of information is most valuable, since it can create a much more complete picture to perpetuate a fraud," Ebert says. "Just one or two numbers may not be enough to conduct an effective fraud scheme. If you can essentially steal a nearly complete identity, such as one detailed in a medical record, it opens up opportunities for schemes to bilk insurance companies, conduct loan fraud, or obtain prescription drugs."

More detailed medical information also provides criminals with the opportunity to parse their haul and sell it to multiple buyers, Jones says.

Green says there's no way to know the exact percentage of stolen data that's being used for criminal purposes. However, she does have a good idea where criminals are taking the information. "Most stolen PHI is sold on the dark web, which are sites used for illegal or criminal activity," Green says. "Cyber thieves also use social media sites, such as Twitter. Investigators and security experts have successfully tracked stolen data appearing on the black market back to specific health care breaches, such as Anthem and Premera."

The Vulnerability of Health Care
As illustrated in the Ponemon study, cyber attacks are increasing in health care, which, considering it's a $3 trillion industry, is not surprising.

Who's at risk? Just about everyone. "Organizations with a prominent or larger public technology footprint are greater targets, but smaller entities typically have greater risk due to the lack of formal infrastructure and limited security resources, protocols, and procedures," says Andy Nieto, director of health care solutions at DataMotion.

Lynn Sessions, a partner and member of the privacy and data protection team at BakerHostetler, explains health care's security predicament in certain terms: "I have heard an FBI agent say, 'There are two types of companies: those that have been hacked by the Chinese and those that don't yet know they have been hacked by the Chinese.'

"The level of sophistication of the hackers make health care organizations vulnerable," she continues. "During a time of declining reimbursements and with meaningful use requiring that health care open its networks for greater data sharing, it makes it difficult to defend against state and criminal organizations that are looking for vulnerabilities around the clock. With the amount of information a health care organization has on its patients/members, they are a gold mine to target for criminals."

Besides the lure of cashing in on health care's massive cash flow, there are other factors at play that make the industry an attractive target for illegal activity. One, according to Nieto, is the relative ease at which health care organizations can be violated. "What leaves health care particularly vulnerable is that they have simply not kept pace with other industries, such as banking and retail, from a technology standpoint," he explains. "According to the FBI's Cybercrime division, health care isn't able to withstand even basic threats, let alone advanced ones."

Does the industry lack the cyber security expertise necessary to thwart sophisticated attacks? According to Ebert, there's a shortage of professionals trained in cyber security across many industries, not just health care. He points to a KPMG survey indicating that more than 50% of provider and payer respondents admitted their organization was having difficulty attracting and retaining desirable candidates on their information security teams.

Jones says that while a lack of qualified professionals hampers security efforts, it's important to note that health care organizations tend to spend their limited resources on revenue-generating departments. IT doesn't fit that bill although recognition of its value may be gaining steam. "IT has traditionally been lower in overall budgeting priorities," Jones says, "but it's becoming a higher priority as executives realize it may not be revenue generating, but it certainly can be revenue preserving."

As the industry strives to meet federal incentives, Nieto says EMRs are becoming widespread, making the pool of lucrative data larger by the moment. And not only are there more electronic records but they're also being shared more frequently, which increases security risks. In short, the more places PHI resides and the more times data are exchanged, the more opportunities for cyber criminals to cash in.

Jason Trost, vice president of threat research at ThreatStream, agrees that meaningful use regulations have increased the amount of valuable data available. "This vast amount of data is an attractive target to thieves, and health care has not historically been information technology leaders. Now, the industry is required to adopt EMRs while also developing security maturity to protect sensitive data," he says.

"Information sharing with insurance companies, other providers, and pharmacies all provide avenues for cyber criminals to get data," Jones says. "As data are being sent multiple times and residing in more than one location, there are more opportunities for them to be intercepted."

It also doesn't help that most organizations rarely conduct operations looking for evidence of a data breach, says Jim Hunter, CISSP, GSNA, GCFE, GWAPT, director of monitoring and security for CareTech Solutions. "So most do not know they have been compromised until a breach is reported by the victims or another party," he says.

Cyber criminals are constantly coming up with new tricks and points of entry to get their hands on PHI, Jones says. "In addition to not knowing where the cyber thief may be coming in next, many health care organizations struggle with being aware of what devices are actually storing PHI and need to have the proper protections in place," he says. "From medical staff with handhelds and unlocked laptops to medical devices and even insider threats, there are many ways cyber thieves access information. Health care organizations that lag in implementing cyber security measures are left more vulnerable to cyber crime."

The risk goes beyond cyber theft itself, Ebert says. "Cyber theft is part of the problem, but the same entry points to steal information can be used to insert malware into health IT systems," he explains. "The malware can sabotage records or even disrupt the performance of medical devices and diagnostic equipment—effectively putting lives at risk. There is also an intellectual property issue here where information needs to be protected as well, particularly around clinical trial research."

Would health care benefit from taking a look at other industries' security playbooks? Hunter says yes, pointing to the measures being taken by credit card companies. "Health care can learn from the credit card industry to define some standard technical guidelines that all organizations can follow to meet a minimum safe standard," he says. "The Payment Card Industry Data Security Standard was created by those credit card companies for that exact reason—to standardize protection of credit card data. Because health care lacks that same one-stop, HIPAA-certified standard, organizations are forced to use other framework standards, such as ISO [International Organization for Standardization] 27001, NIST [National Institute of Standards and Technology], and others, that might not address the variables of health care security challenges."

Jones believes all industries could learn something from each other, especially in light of how fast-moving cyber theft can be. "Tactics change quickly, and forums, conferences, and online research about the newest threats make it easier for IT professionals to discuss, collaborate, and prevent future attacks," he says. "It is not if an attack will happen, it is when. And improvement comes in how the IT community learns from shared experiences and how quickly a breach is addressed."

Wright agrees, adding that hospitals would benefit from starting a cyber security conversation with the assumption that at some point their perimeter defenses will be breached. "Cyber defense teams should evaluate and acquire new technologies that can identify attackers who have bypassed primary defenses," he says. "New leading-edge technologies such as deception technology can provide advantages for the security operations center team or managed security service provider that substantially reduce time-to-breach detection. These technologies can be the key factors that protect organizations from the liability and expense of a major data breach and the resulting loss of PHI data."

Another tip to stay a step ahead of escalating cyber security threats: Move beyond minimum compliance. "The most important thing the health care industry can learn from other industries is that just because you are compliant does not mean you are secure," says Angel Grant, senior manager of fraud and risk intelligence at RSA. "You need to continuously stay on top of your security posture, as there will never be one solution that will mitigate a cyber attack. Pervasive visibility is the foundation of a successful security program."

To thwart cyber thieves, Trost recommends health care organizations take the following steps:

• Deploy network and endpoint monitoring technology, including threat intelligence to identify breaches faster.

• Periodically perform proactive threat hunting within your networks, with the goal of identifying previously undetected breaches.

• Deploy nontraditional network sensors such as honeypots to detect compromised systems within your network attempting to perform lateral movement.

• Get involved in health care security and threat intelligence sharing groups to exchange details large and small about threats hitting the environment. "Chances are, others have seen similar activity or indicators and can help," Trost says.

According to Ebert, the key to an effective cyber security program is establishing a balance of process, people, and technology, with all three elements adequately resourced. "Technology can help on the front end with firewalls, encryption, and programs that monitor how and where data is flowing within networks," he says. "The technology isn't effective if people are not there to provide some oversight. Some of the organizations that were the targets of significant breaches had plenty of technology at the front end, but fell short when it came to staffing and developing the processes around a breach."

Above all, organizations must come to terms with the fact that data breaches leave serious, long-lasting marks. Patients trust their health care providers to protect their data, making it imperative that organizations take cyber security seriously, Jones says.

"Health care organizations need to realize they have a big target on them because of the richness and depth of the information they collect," Ebert notes.

— Juliann Schaeffer is a freelance health writer and editor based in Alburtis, Pennsylvania.