Why Hackers Love Patient Records and What to Do About It

October 10, 2017
Randy Dotinga

Hackers are well-organized and hungry for patient records. Here’s what practices need to know to protect their patients and their business.

Which is worth more to a hacker: a patient's electronic health record or her private credit card details?

The surprising answer: The patient record. The main reason has to do with what they can do with the information inside, said Troy Tribe, senior vice president of HIPAA services at SecurityMetrics in Orem, Utah, presenting at the Medical Group Management Association Annual Conference on October 9. 

"They submit fraudulent insurance claims with that data. On average, the payments are anywhere to $7,000 to $10,000," said Tribe. That's why a single stolen patient record can be worth $60 on the black market, more than data about a credit card, he said.

Media reports note that hackers can also use medical record information to buy medical equipment or drugs to resell in addition to filing false claims for payment.

The cost can be much higher for medical practices who are hacked. In a June 2017 report for IBM, the Ponemon Institute estimated that each theft or loss of a medical record costs healthcare firms an average of $380 per record.

There are simple strategies that practices can use to protect themselves, he said. But first, it's important to understand who hackers are, and who they aren't.   

These days, "hackers are extremely well organized, and in many cases more organized than the companies you and I work for," Tribe said. "They're 9-to-5 employees, they have quotas, and they get bonuses just like you and I do. But theirs are based on the number of healthcare records or credit card details that they can get."

How do hackers get into healthcare systems? One route is through so-called remote access, which allows workers to access computer systems when they're away from the office. Remote access "ports" are often left open, he said, allowing hackers to get into systems and try to figure out usernames and passwords.

"Our security habits are really bad," he said. "We have found that in our investigations that many people use the same usernames and passwords for log-ins, whether it's your bank, Spotify, your gym, or Facebook."

"Phishing," in which hackers try to fool users into clicking on malware attachments, is another route into systems, Tribe said. 

Hack-proof your practice

He offered these strategies to lower the risk of hacking:

• Work with staff and business partners to improve computer security. "Make sure everybody understands what phishing is," he said.

But don't bore employees with long meetings like three-hour training sessions each year, he said. "Fifteen-minute meetings every month are better," he said.

• Mind usernames. "All staff should have separate user accounts rather than using the same username and password for everyone in the office," he said.

One common mistake, he said, is to allow everyone to use the username "admin," since hackers can easily figure that out and then focus on cracking the password.

"Change 'admin' to something more difficult to guess," he said. And no, he said, just combining your company name and "admin" into a new username isn't going to work. Hackers will figure that out too.

• Treat a password like underwear, he said: Change it often, don't give it to other people, and keep it out of sight.   

• Lock out users if they can't manage to correctly type in their log-in information after a few tries, he said, and embrace "multi-factor authentication" for your accounts.

Multi-factor authentication makes it harder for crooks to log into your accounts because they'll need access to something beyond a username and password to get in from an unrecognized computer or device. They may need a code sent to your cell phone, for instance, or a user’s fingerprint. "That's a huge step in avoiding any type of cyberattacks," Tribe said.  

• Consider hiring a security firm to probe systems for weaknesses through what's known as a "vulnerability scan."

• Remember three words: "Antivirus isn't enough." Don't just rely on software, Tribe said, especially in light of questions about whether antivirus programs actually work.