Hackers in no rush to cash in on stolen data
As cyber attacks continue to target healthcare organizations, hackers are changing tactics, becoming more patient and sitting on stolen data until the perfunctory credit monitoring services offered to patients expires.
They can afford to do so, says Pam Hepp, a healthcare attorney at the Buchanan, Ingersoll & Rooney law firm in Pittsburgh. Sometimes, a hacker may dip into some of the acquired data to monetize it, but increasingly they’re holding most of it until monitoring activity ends.
Hackers can be patient because they know that physicians and staff members still need access to data and are still likely to fall victim to phishing scams, Hepp adds. Further, while security oversight of internal and vendor processes are improving, much of the processes still rest on a business associate agreement, which often hasn’t provided much protection.
Once medical data is taken, it is difficult for consumers to know what has been taken until they are notified, or they have a physician appointment and find out that their blood type and diagnoses have been changed because a hacker stole their identity.
That hacker, Hepp says, is using the data to generate false claims for durable medical equipment, hospice or home health services not being delivered. “Stealing data means you don’t have to find patients; you just make up new patients,” she says.
Unfortunately, while security technology continues to evolve, hackers will continue to have the upper hand and almost always will be a step ahead, Hepp notes. “Even if you are doing robust risk assessments, between that and human error, breaches will happen.”
When there is a beach, a risk analysis should be conducted, not just to learn what types of data were compromised, but who had access and what data was seen, followed with an ongoing review of vulnerabilities to ensure the same type of breach does not happen again, she counsels.
Large healthcare organizations have the resources to conduct a comprehensive risk analysis on an annual basis, and federal regulators expect that, Hepp advises. Smaller organizations, if possible, should annually assess risk vulunerabilities; those without the resources should at least do it every two years.