Lack of Third-Party Security, Multifactor Authentication Lead to Medical ID Theft
A recent white paper released by CSID, Finding a Cure for Medical Identity Theft reports that the majority of healthcare organizations aren’t implementing all of the best security practices recommended today to protect patient health information.
While approximately 80 percent of healthcare organizations are using firewalls, antivirus and strict passwords, only 32 percent are using multi-factor authentication and another 20 percent are vetting third-party vendors. Considering the fact that antivirus software only catches about 45 percent of cyberattacks, as antivirus provider Symantec’s VP told the Wall Street Journal, perhaps it’s time to update their security approach.
Third-party vendors are often targeted by hackers as an easy gateway into their larger clients’ networks, as they often don’t have the resources or knowledge to implement proper security. Vendors that support the healthcare industry are recognized as business associates if they deal with any patient health data, or could provide access to data. And business associates are required to meet HIPAA compliance regulations for data security, as the final HIPAA omnibus rule decreed.
As the U.S Dept. of Health dictates in the final HIPAA omnibus press release issued last January:
The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.
And although most healthcare organizations are enforcing password policies, what happens if an attacker gets his/her hands on an administrator password? In the case of the Utah Dept. of Health, 780,000 health records were exposed when a hacker accessed a server containing Social Security Numbers maintained by the Utah Dept. of Tech Services, as eWeek.com reports.
They report that there was a configuration error at the authentication level for server, which was a test server, and that the password was very weak. However, if they had had two-factor authentication properly implemented, it’s possible they may have prevented this breach.
And motivation to steal medical record data may have to do with the fact that medical information is worth ten times more than credit card numbers on the underground stolen data market, as Reuter reports.
Apart from medical identity theft, physicians and healthcare systems should be concerned for another reason - a medical data breach can result in hefty fines straight from the U.S. Dept. of Health (HHS), which is different from other industries without a federal governing body and the legislation in place to ensure companies pay up. The largest data breach settlement with the HHS resulted in a $4.8 million fine after a university physician exposed the data of 7,000 patients online. Find out more in HIPAA Affects Hospital & University Alike; Results in $4.8 Million Settlement.
Learn more about health IT security and how to protect your patient data in:
Securing E-Prescription Applications & Identity-Proofing
Two-Factor Authentication for Electronic Health Record (EHR) Apps
Remote Access Attacks & Threat Actor Profiling: Sign of the InfoSec Times