Cybercrime Targeting Health Records

by Doug Pollack, ID Experts

The data breach incident that hit The Surgeons of Lake County, a medical services practice in Illinois, earlier this summer may be the precursor to a growing trend towards cyber-blackmail targeted at patient medical records. It also demonstrates a clever approach to monetizing data breach-oriented cybercrime without going through the trouble of acquiring and remarketing the data.

A data breach incident was discovered on June 25, 2012 by the Surgeons of Lake County in which a hacker broke into their computer systems, but rather than extracting the patient data that was in their electronic health records application, they instead encrypted the data, and left the medical practice a digital blackmail note. As reported in Bloomberg in a blog titled “Hackers Steal, Encrypt Health Records and Hold Data for Ransom”, this incident demonstrates a novel new approach to marrying cybercrime with blackmail.

“This story is so ironic — most people worry that their health records will be spread all over their local newspaper,” said Dorothy Glancy, a professor at Santa Clara University’s law school who specializes in digital privacy. “But in this case, the doctors — in fact, nobody — can access these records.”

I think that this incident illustrates the beginning of a much larger phenomena. As we all know, medical practices are working tirelessly to implement electronic health record (EHR) systems in order to take advantage of funds available from the federal government for health providers that demonstrate “meaningful use”, as it is known. In their rush to use meaningful use dollars by the 2014 deadline, physician practices and their vendors may underestandably be placing a lower priority on the privacy and security issues and risks that exist when moving patient data into new applications that will be used across the healthcare ecosystem. Therefore, vulnerabilities and weaknesses in their security architectures should be expected.

Not only do medical EHR systems themselves pose security risks, but the movement towards making patient data available whereever they may access medical services, implemented through participation in health informaiton exchanges (HIEs), exacerbates the level of risk by posing additional threat vulnerabilities. HIEs face funding challenges due to the fact that they lack clearcut and profitable business models, and yet federal grants and deadlines maintain a level of time pressure for implementing these systems that do not allow for thorough considerations of security concerns.

As professor Glancy states, “This is a warning bell. Maybe they’re [Surgeons of Lake County] the canary in the coal mine that unpredictable things can happen to data once it’s digitized.”

While the benefits to patients of broad based implementation and exchange of electronic health records could be substantial, when it comes to quality and timeliness of care, possibly the healthcare world should slow down a bit, to ensure that privacy and security issues are rigorously addressed before the data starts flying around in the ether.

Doug Pollack, CIPP, is chief strategy officer at ID Experts, responsible for strategy and innovation including prevention analysis and response services. As a veteran in the technology industry, he has over 25 years of experience in computer systems, software, and security concerns focusing on creating successful new products in new emerging markets.  Prior to ID Experts, he held senior management roles at Digimarc, several successful software startups, 3Com Corporation and Apple, Inc. Doug holds a BSEE from Cornell University and an MBA from the Stanford Graduate School of Business.