The biggest threats to a medical practice data breach come in the forms of hacking, malware, and phishing, says Mark Dill, partner and principal consultant for Tw-Security, a security firm.
As proof, he points to the Department of Health and Human Services' (HHS) Office for Civil Rights' "Wall of Shame," which lists every data breach that affected protected health information of 500 or more individuals. "When you look at that data set, hacking, malware, phishing, and ransom [are the most common causes], device and mobile media loss is next, then human error. By then, you've accounted for 90 percent of the root causes," Dill says.
Dill will be speaking about the pervasive threat of hacking, malware, and phishing at the annual Healthcare Information Management and Systems Society (HIMSS) conference, held this year in Las Vegas. His session, "Cybersecurity: Achieving Prevailing Practices," is scheduled for Thursday, March 8 from 11:30 a.m.—12:30 p.m.
Dill spoke to Physicians Practice to preview his session.
Physicians Practice: What are you going to talk about at your session at HIMSS18?
Mark Dill: What's unique about my talk is the data I'm going to present, how I collected it, and why it's different than other surveys that are out there [on data security]. I've been asked my entire career about "What's [this other provider] doing?" and "What's this hospital doing?" to address the problem we're talking about. Having that data at the ready is fairly difficult to get to. The surveys out there are pretty high level. They'll tell you how many people have firewalls, intrusion prevention, or single sign-on. But they don't get into the level of maturity of applying that tool or of control effectiveness. My data begins to address data that's more useful, either for an executive or a technician, to compare where they're at relative to their peers.
PP: Why is health data valuable to hackers?
Dill: It depends on the source, but the price for [protected health information] is always higher than the price for credit card data. The fraud alert mechanisms with a credit card and debit card are so good. They might get the first purchase for $400, but after that everything is blocked. The whole process works. The price for credit card information is inexpensive.
When you get to PHI, that data is rich with identity theft-laden information. It never gets stale. Your Social Security number doesn’t change. Your demographic information doesn’t change. If it's stolen today, it'll still be effective two to three years [later]. So that value goes up. That's on the dark market. If you want to use it for medical identity theft or medical fraud, that's an even higher price. If someone sold some records and could get away with billing Medicare fraudulently, that could be worth millions.
PP: Can these threats reach smaller medical groups and practices?
Dill: The numbers are certainly way down, in terms of scans, probes, and attacks (compared to hospitals). But they are still a target, especially if they are directly connected to the hospital …When they connect to a hospital, if their [security] profile is different from the hospital, they can be a weak link. They can be a route in the door. It's like other breaches you've seen—the vendor had a weakness and was exploited.
On the theft of mobile media and devices, that threat is ever present, regardless of size. Phishing is pretty consistent if it's random. If it's targeted, certainly a larger hospital is a bigger target. But it's still out there [for small practices]. What I'm seeing is if a hospital has a better tool than a small practice, it's important to try and push the small practice to that level of security.
PP: What’s unique about your session versus others on cybersecurity, especially for smaller practices?
Dill: I have looked for a dataset that is this granular and can afford the audience the tools to compare themselves against others. I've never found it. This is the first time, I'm seeing data like this.
If you're a small practice, you're clearly not trying to compare yourself to an academic medical center. You don't have the tools, resources, talent …Your very small IT team has to wear so many hats. You're going to want to see for your small sized practice, the capabilities [you'll need].
When I acquire this technology or process, where is everyone else at? If I'm not there, what's the gap and how do I get there? How do I avoid spending too many resources on one tool or process? That's what my session is designed to do. Paint a picture of prevailing practices — the key word is prevailing. HIPAA says you're supposed to achieve these milestones in accordance with your capability. If you haven't obtained prevailing practice, there's going to be an opportunity for a breach or a fine.