Medical information is highly personal and sensitive. It is also highly sought after by cybercriminals. International statistics show that this form of information theft is on a steep increase.
Statistics South Africa released its most recent General Household Survey in 2015, which revealed that 18.1% of South Africans have medical aid coverage. Almost a quarter of South African households have at least one person on medical aid. While this means that cyber criminals have a relatively small pool of targets to choose from, they still pose a serious threat.
Why do hackers want your medical information?
Information, in the digital age, is currency. It can be traded on the dark web for all kinds of nefarious purposes.
Electronic health records (EHR) contain personal data used during medical transaction which is recorded and stored through special EHR management software. The data stored is date of birth, medical aid number, ID number and financial information.
“The reason that this information is of such high value is because it can’t be easily changed or replaced if a cyber attack occurs,” explains Anvee Alderton, channel manager at Trend Micro Southern Africa. “Your ID number, date of birth, and medical history are unique to you, and because of that, they have a long shelf life on the black market.”
What do they use the information for?
There are several different ways that medical information can be used. Medical histories can be used to procure prescriptions for specific drugs. Once the drugs are obtained, they can be sold on the black market.
Medical aids rely on information such as date of birth and ID numbers, which can’t be changed. This information on its own is highly prized by cyber criminals as it can be used to create fake identities, open up fake medical aid profiles, and can be used in filing false tax returns. Some criminals go as far as using ID numbers and birthdates to create fake birth certificates.
“Besides selling the individual pieces that comprise an EHR, this data can also be collected to create a new product, like medical aid cards, driver’s licenses, even come up with entirely new identities,” Alderton says.
In Trend Micro’s research paper “Cybercrime and Other Threats Faced by the Healthcare Industry”, it is reported that internet-connected devices could be a gateway for hackers to get into a network. Medical equipment and networks may be vulnerable to attack. Unsecured devices and vulnerable computers can also provide points of entry.
“There are many reasons that contribute to the increase of data breaches in the healthcare industry,” Alderton explains, “Compared to other sectors, health care data is more lucrative and can be sold in various ways. Though it is understandable that hospitals and clinics allot more resources toward patient care and improving their services, security should not be lacking.”
What needs to be done?
One of the reasons that cyber criminals are able to get away with stealing personal data from healthcare providers is the lack of safeguards applied. It’s important that hospitals, clinics and healthcare providers have the right staff to handle digital security.
EHR software vendors should look at reinforcing data protection, if they haven’t done so already. How software affects devices is also a strong consideration and something which needs regular monitoring.
IT administrators need to have a strong knowledge of data protection, what threats can affect the software and devices, and how to resolve any breaches which may occur.
For some, medical aid is something that is seen as a necessity. For medical aid providers, security and data protection should be seen as essential. Cybersecurity ensures the health of one’s personal information.