Which is worth more to a hacker: a patient's electronic health record or her private credit card details?
The surprising answer: The patient record. The main reason has to do with what they can do with the information inside, said Troy Tribe, senior vice president of HIPAA services at SecurityMetrics in Orem, Utah, presenting at the Medical Group Management Association Annual Conference on October 9.
"They submit fraudulent insurance claims with that data. On average, the payments are anywhere to $7,000 to $10,000," said Tribe. That's why a single stolen patient record can be worth $60 on the black market, more than data about a credit card, he said.
Media reports note that hackers can also use medical record information to buy medical equipment or drugs to resell in addition to filing false claims for payment.
The cost can be much higher for medical practices who are hacked. In a June 2017 report for IBM, the Ponemon Institute estimated that each theft or loss of a medical record costs healthcare firms an average of $380 per record.
There are simple strategies that practices can use to protect themselves, he said. But first, it's important to understand who hackers are, and who they aren't.
These days, "hackers are extremely well organized, and in many cases more organized than the companies you and I work for," Tribe said. "They're 9-to-5 employees, they have quotas, and they get bonuses just like you and I do. But theirs are based on the number of healthcare records or credit card details that they can get."
How do hackers get into healthcare systems? One route is through so-called remote access, which allows workers to access computer systems when they're away from the office. Remote access "ports" are often left open, he said, allowing hackers to get into systems and try to figure out usernames and passwords.
"Our security habits are really bad," he said. "We have found that in our investigations that many people use the same usernames and passwords for log-ins, whether it's your bank, Spotify, your gym, or Facebook."
"Phishing," in which hackers try to fool users into clicking on malware attachments, is another route into systems, Tribe said.