John Kuhn needed to bare his midriff to hospital administrators to finally get out of a $20,000 bill for surgery that he did not have.
“I had to go in front of the billing department and the chief financial officer and pull my shirt up and show them I did not have a gaping scar on my stomach,” he says.
Mr Kuhn, an IBM senior security threat researcher, learnt first-hand how valuable healthcare records can be to hackers, who can sell them on to potential patients or mine them for financial information and false identities. The first he heard of his medical records being stolen was when creditors called about the bill — and he can only guess how they hacked his data.
The growing digital health industry encourages the free movement of medical data with the objective of advancing clinical understanding. This can range from patients submitting personal information by app or wearable device to doctors sharing new forms of data such as genetic records.
Patients may have to be convinced that the gains will outweigh the pain, however, because so far the healthcare provider industry has not proved an entirely trustworthy custodian of digital medical records.
After last year’s data breaches at US health insurers — for example, Indianapolis-based Anthem, where up to 80m records were exposed — underground markets on the so-called “dark web” are filled with patient data for sale, says Caleb Barlow, vice-president at IBM Security.
“This is organised crime on an epic scale,” he adds, referring to the dark web sites being full of descriptions of records that contain everything from medical histories to social security numbers.
UpGuard, a cyber security start-up, gives companies a credit rating-like score based on whether it is clear from the outside that they have some basic security protections in place. Among nine leading hospitals, as ranked by Healthcare Global magazine, UpGuard scored seven of them below 600 — namely, what the start-up considers an acceptable standard of security — with hospitals from the US, UK and Canada among those it rated unacceptable. The hospitals’ average score of 489 was far below that for the banking industry of 628.
“It is not a good look,” says Mike Baukes, UpGuard co-founder and co-chief executive. While externally, UpGuard can only see such basics as whether a website and email traffic is encrypted, he adds, it can often be inferred that if a provider is not doing this, then the rest of its data are not secure.
Two US hospitals that scored badly on the tests recently announced that they were hit by ransomware attacks — ransomware locks people out of access to important data and demands a pay-off to restore the systems. In February, Hollywood Presbyterian Medical Center paid hackers $17,000 in bitcoin to restore access to its electronic medical record system. Kentucky Methodist Hospital had to shut down all its computers and activate a back-up system.
As medical data leaves a hospital ward’s filing drawer, the healthcare industry is going to have to think far harder about how to protect the information. Veracode, an application security start-up, tested applications used by providers to communicate about appointments and test results. It found 80 per cent had problems with encryption.
One grey area is the lack of clear regulations on who is responsible for protecting patient data held in apps developed by third parties. Chris Wysopal, co-founder and chief technology officer of Veracode, said it is up to hospital managements to demand their app vendors have proper security and to test it themselves.
“The more sharing of data that happens, the more connections there are to users like doctors on their devices and patients on their devices, [the more] it becomes an enormous attack surface for really sensitive data,” he says.
The industry needs to think not only about preventing the theft of sensitive medical data, but also about making sure it can match the right patient to the right data. Healthcare IT and communications company Imprivata sells identification software to 1,500 hospital systems, providing ways for doctors to have secure access to data.
But David Ting, Imprivata’s chief technology officer who also sits on the US health department’s cyber security task force, says as hospitals increasingly rely on patients to monitor their wellness at home, they must think about methods to prove who the data relates to.
“The value of medical records is only as good as the ability to prove its integrity,” notes Mr Ting. “So if I bring in my vitals — my blood pressure and a record of what I ate — was it really mine or was it my son’s?”
As caregiving increasingly moves into the home, the industry may also need to find ways to electronically prove the identity and monitor the activities of a visiting nurse, he says: “How do I know they saw my grandmother? And for the full 30 minutes?”