In December 2016, medical lab operator Quest Diagnostics announced that it had been hacked — putting over 34,000 customer accounts at risk. These accounts contained names, birth dates, and lab results. (Fortunately, more sensitive information such as Social Security numbers and credit cards weren’t stolen).
Quest’s announcement marked the most recent case in the growing trend of healthcare information hacks. Instances of reported healthcare breaches jumped from 568,358 to 111,812,172 between 2010 and 2015. Why is healthcare information so attractive to hackers? Today we’re going to examine this question and explain the implications for the industry moving forward.
The Appeal of Healthcare Data Hacking
The black market for healthcare data is a thriving business. In some instances, a single Medicare number can sell for almost $500. Medical data sells with a higher price tag — sometimes 60 times the dollar amount of credit card data — because hackers can use it to access an individual’s Social Security number, insurance information, and more. That information can be used to open credit cards under the person’s name, purchase prescriptions or medical supplies, and resell these items on the black market.
When it comes to hacking updates in the news, we hear about data stolen from financial institutions and email providers all the time. For the most part, these industries have good security practices in place. Banks, for instance, take extra caution to detect fraud by emailing users when they come across suspicious purchases.
For healthcare, security is just starting to become a priority. According to the IBM X-Force 2016 Cyber Security Intelligence Index, the healthcare industry was the number-one target in 2015. A year earlier, healthcare didn’t even make the top five. It’s no wonder that 85% of healthcare IT professionals say that information security has become a greater business priority in the past year.
Top Data Breach Threats for Healthcare
According to Verizon’s 2016 Data Breach Investigations Report, healthcare is particularly prone to the following types of cyber attacks:
- Insider and Privilege Misuse: Attacks that involve a company employee, usually along with an external team. In this case, the company is particularly vulnerable as the insider knows its security defences.
- Miscellaneous Errors: Unintentional acts by employees that compromise company information. Examples include misdelivery, capacity shortages, and publishing errors.
- Physical Theft and Loss: When employees lose company assets that contain sensitive information, either through unintentional loss (i.e. by accident) or theft.
It’s important to note that the types of breaches listed above aren’t all malicious and may not even come from outside parties. While Quest was a clear target for malicious third-party hackers, it represents only one of many ways hackers exploit vulnerabilities. With 47% of the U.S. population falling victim to a healthcare data breach over a twelve-month period, companies are discovering that being lax on security will inevitably have real-world consequences.
While awareness takes time to become a priority and influence policies and practices, there are strategies companies can implement right away.
What Could Quest Have Done differently?
While we don’t know what measures Quest had in place before the attack, there are some solid best practices healthcare companies should know about and follow.
Third-Party Penetration Tests
Hackers penetrated Quest’s mobile app, meaning that Quest had an application that had one or more vulnerabilities that permitted access to unauthorized information. The vulnerability could have been from their API, website, or through the app itself. In other words, a company often doesn’t really understand the strength of their security protocols until an actual attack occurs.
Third-party penetration tests involve a separate team or company simulating cyber attacks to obtain sensitive information (in this case, patient information). By attempting to penetrate systems to access this information, the team can reveal vulnerabilities in the healthcare organization’s network security. Third-party penetration tests are vital if a company wants to understand and validate the current security controls they have in place.
Security Code Reviews
While developers and quality assurance engineers catch bugs and issues with their code, being too close to the project opens up the possibility of missing some of those flaws. Security code reviews involve having one developer review the code of another. Reviews can detect common coding errors that can enable unwanted access by hackers. From a quality assurance standpoint, a different developer can help detect if automated tests need to be rewritten to check the new code.
Security code reviews aren’t separate from penetration tests. In fact, the final step of a security code review is to do a follow-up penetration test to ensure no more vulnerabilities are discovered.
Data Sanitization
Computer experts know that you can bring back any files and programs deleted from the recycling bin of any PC, and often even after reformatting the hard drive. Decommissioned equipment, from computers to flash drives, can also hold sensitive data for years. In some instances where companies reassign equipment to new users, this data could accidentally be passed to employees who weren’t meant to have it. Another concern is that attackers commonly submit their attacks through normal data entry channels such as web forms, application input fields, and more.
Data sanitization programs take care of these issues by rewriting over a hard drive many times to make sure any old data can never be recovered. By sanitizing data, application developers assume that any user-submitted data could contain a hazardous payload, and thus it must be cleaned on the server-side to remove any possibilities of malicious content. Sanitization greatly reduces the number of vectors through which attackers could gain unauthorized access to a system. Sanitization programs are also available for portable devices, as today’s employees are more mobile than ever. Similar to penetration tests, companies can test their sanitization efforts by attempting to discover leftover data with forensics and other methods. Every company device that is reused or retired should be sanitized.
HIPAA Compliance
In the United States, healthcare security provisions are recommended through the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996. While this act did not mandate security, it did set expectations. According to the act, companies that work with protected health information (PHI) should have security measures in place for their physical premises, networks, and processes to protect all patient data. These measures apply to a healthcare organization’s website hosting, email provider, online forms, messaging system, cloud storage, and more.
Always on the Lookout
The tools mentioned above are just a handful of the many steps healthcare companies should take to prevent a hack. Of course, it’s important to remember that no protocol is perfect. Even extremely well-tested software can have serious vulnerabilities: this is the world we live in. Systems are designed to be secure, which is precisely what makes testing that security a challenge.
Nevertheless, every precaution you take makes you a little bit safer from becoming the next cyber attack victim. If all companies in the industry take steps to improve their security, perhaps healthcare will no longer be such an attractive target.
LuxSci founder Erik Kangas has an impressive mix of academic research and software architecture expertise, including: undergraduate degree from Case Western Reserve University in physics and mathematics, PhD from MIT in computational biophysics, senior software engineer at Akamai Technologies, and visiting professor in physics at MIT. Chief architect and developer at LuxSci since 1999, Erik focuses on elegant, efficient, and robust solutions for scalable email and web hosting services, with a primary focus on Internet security. Lecturing nationally and internationally, Erik also serves as technical advisor to Mediprocity, which specializes in mobile-centric, secure HIPAA-compliant messaging. When he takes a break from LuxSci, Erik can be found gleefully pursuing endurance sports, having completed a full Ironman triathlon and numerous marathons and half Ironman triathlons.