The fragmented healthcare data ecosystem offers cybercriminals a variety of attack vectors. This is not surprising when you realize that the industry’s struggle to adjust to HIPAA privacy rules coincided with the movement toward online patient communication systems. Cybercriminals are notoriously ahead of their prey in terms of technical knowledge, and the healthcare industry has become a natural target for cyberattack. Consider the attractiveness of over-worked medical center employees as email phishing targets, for example.
Can blockchain solve the healthcare industry’s many cybersecurity weaknesses? Possibly. But, first, what is the current state of healthcare data privacy and what barriers will blockchain solutions have to clear in order to make an impact?
Cybercriminals are Clamoring to Steal and Sell Healthcare Data
Cyberattacks make the news on a daily basis and affect a wide range of industries. The common denominator in many cyberattacks on large organizations is that the real victims are the individuals whose personal data is sold, exposed, or otherwise misused. Unfortunately, cybercriminals are motivated to obtain and sell healthcare data in particular, making the industry a massive target for abuse.
“For cybercriminals, health data is far more valuable than other types of information they sell for profit. A protected health information (PHI) record, for example, is worth 100 times as much as a credit card number on the Dark Web, Bugcrowd states in its recently published State of Healthcare Security 2019 report.” Kelly Sheridan
Healthcare Data Breaches are Shockingly Common
Cybercriminals attack healthcare data systems relentlessly, looking for weaknesses to exploit.
“As of July 2, 2019, 218 breaches affecting a total of nearly 10 million individuals have been added to the HIPAA Breach Reporting Tool website – commonly called the ‘wall of shame’ – so far this year.” Marianne Kolbasuk McGee
Healthcare data breaches are occurring throughout the entire healthcare vertical from hospitals and medical offices to the vendors that serve them. Recent breaches in the news include:
- 20 million patients affected in AMCA healthcare data breach, including nearly 12 million patients of Quest Diagnostics, 7.7 million patients of LabCorp, and over 422,000 patients of BioReference Labs CPO Magazine
- 2,964,778 dental plan members affected in Dominion Dental healthcare data breach. Unauthorized access to its systems first occurred on August 25, 2010, nine years before the investigation was completed. HIPAA Journal
- 14,591 patients affected in Nemadji Research Corporation (California Reimbursement Enterprises) data breach after an employee fell victim to a phishing attack in March Health IT Security
Organizations Struggle to Identify and Resolve Cyberattacks
Not only is the frequency of healthcare data breaches alarming, the huge number of patients impacted is staggering. In addition to these massive data breaches, many organizations are under attack for years before detecting and mitigating breaches.
“The largest breach added to the tally so far this year is a hacking incident affecting almost 3 million individuals reported June 21 by Dominion Dental Services, a Virginia-based insurer… the incident was first discovered in April but is believed to have started nine years ago.” Marianne Kolbasuk McGee
Slow response to data breaches might be related to poorly designed and/or implemented EHR systems. For example, a recent Thales study found that all (100%) of the healthcare organizations it questioned reported collecting, storing, or sharing sensitive data with digital transformation technologies, but 38% or less are successfully encrypting their data along the way.
Unfortunately, the healthcare industry is known for spotty adoption of new technologies. It only takes one weakness in the healthcare data chain to make a breach possible. For example, a patient billing company that has poor IT firewalls may provide an opportunity for a breach of data from a medical office that is otherwise diligent in its encryption and protection efforts.
Healthcare Employees are Often Unwitting Vectors for Cyberattack
Hackers are keenly aware of the healthcare data system’s vulnerabilities, many of which are impacted by human error. The simple act of opening an email can compromise thousands of patients’ electronic health records.
“An employee of vendor California Reimbursement Enterprises fell victim to a phishing attack in March, which potentially breached the data of 14,500 patients, including those from Los Angeles County DHS.” Jessica Davis
While it can be argued that employees should be able to identify and avoid phishing email attempts, it is important to remember the chaotic and fast-paced nature of a busy hospital or medical office. Overworked and/or improperly trained staff are likely to increase the chance of human error.
Breaches can also come from within the organization. The opportunity for human interaction within the healthcare data system can be manipulated against the will of the organization.
“After analyzing 1,138 data breaches that occurred between October 2009 and December 2017, researchers found that more than half (53%) had originated inside the organization.” JAMA Network
Healthcare Data Breaches Can Mean the End of a Business
Patients are not the only victims in healthcare data breaches. Medical organizations stand to spend significant sums of money to properly notify all affected by a data breach. In some cases, the notification process itself can bring the organization to a grinding halt.
“After the breach, Retrieval-Masters Creditors Bureau CEO Russell Fuchs wrote in the court filing that the company has incurred “enormous expenses that were beyond the ability of the debtor to bear.” The company has spent $3.8 million to mail over 7 million individual notices to individual breach victims.” Jessica Davis
Health organizations also have the onerous task of signing multi-million dollar settlements to appease victims. Premera Blue Cross signed a $10 million settlement with 30 states. And of course, regulatory bodies will impose fines. Notably, Anthem recently agreed to pay $16 million to the HHS Office for Civil Rights (OCR) to settle the largest health data breach in history.
Blockchain Solutions for Healthcare Cybersecurity
Blockchain might be able to resolve many of the weaknesses that lead to healthcare data breaches, but how will this new technology find its way to all corners of the healthcare industry? In addition to the obvious data privacy concern, healthcare-focused blockchain projects have a few industry pain-points to consider when rolling out new solutions:
- Many healthcare organizations have understaffed and/or undertrained IT departments.
- Healthcare IT infrastructure varies by organization.
- Healthcare software users have varying levels of computer and database proficiency.
Driven by the above issues, Software-as-a-Service (SaaS) models have been widely adopted in healthcare, with a majority of organizations reporting that they utilize six or more SaaS applications. Blockchain technology may find that the -as-a-Service model is the best way to roll out this new technology.
One project working to apply the Blockchain-as-a-Service (BaaS) model to healthcare is Duality Blockchain Solutions (Duality).
“Duality developed the Dynamic blockchain specifically to help healthcare organizations reduce resourcing requirements, directory maintenance costs, and to eliminate the need to employ trusted third parties for hosting, administering and managing data.” Duality Blockchain Solutions
Blockchain Directory Access Protocol
Unlike SaaS, BaaS is more complicated than applying a subscription model to a web-based app. Accordingly, Duality introduced Blockchain Directory Access Protocol (BDAP), which supports the project’s decentralized services offered via dApp (decentralized application). dApps give healthcare organizations the immediate benefit of no longer relying on third party vendors to handle sensitive data.
Duality’s solutions range from patient enrollment using a combination of software and biometric hardware to private peer-to-peer file and link sharing. Duality’s healthcare dApps address a spectrum of patient data touch points, from enrollment and consultation to secure file management and sharing:
- NoID: Identification and data management software and biometric hardware for patient enrollment, accurate identification, and secure data management.
- pConsult: Peer-to-peer professional services marketplace with private live video and audio, secure messaging, and document exchange between participants.
- pShare: Privacy oriented peer to peer file-and-folder sharing.
So, what does the future hold for healthcare data privacy? Cybercriminals will continue to search for weaknesses, cloud-connected medical devices will continue to enter the market, and patients will increasingly look to digital communication methods.
But, will healthcare organizations search for – and implement – solutions? I’m watching Duality to find out.
Disclaimer: The author works with Duality Blockchain Solutions, providing social media marketing support. Nothing in this article should be considered financial advice.
5 Scariest Health Data Breaches of 2018 Tony Abraham, Healthcare Dive
32% Providers Store Data in Cloud, Despite Lack of Security Resources Jessica Davis, Health IT Security
AMCA Files Chapter 11 After Data Breach Impacting Quest, LabCorp Jessica Davis, Health IT Security
Anthem Shells Out $16M in Largest Ever HIPAA Fine Rebecca Pifer, Healthcare Dive
Health Data Breach Tally: A Mid-Year Update Marianne Kolbasuk McGee, Gov Info Security
Industry Insight: Checking Up on Healthcare Security Kelly Sheridan, Dark Reading
Phishing Attack on California Vendor Breaches Data of 14,500 Patients Jessica Davis, Health IT Security
Premera Reaches $10M Settlement with 30 States Over 2014 Data Breach Jessica Davis, Health IT Security
Regulating Exposure to Occupational Stress: A Guide for Hospitals National Institute for Occupational Safety and Health (NIOSH)
Survey: How Healthcare Deploys Software as a Service (SaaS) Apps Fred Pennic, HIT Consultant
Why 70% of Healthcare Orgs Have Suffered Data Breaches Macy Bayern, TechRepublic