To mitigate medical hacks, identify incentives for hackers

Editor's note:

This post originally appeared on U.S. News and World Report.


Privacy breaches are extremely ubiquitous in the health care industry. Over the last six years, medical data of more than 155 million Americans have been potentially exposed through nearly 1,500 breach incidents. While there are notable ongoing efforts among health care organizations to prevent these incidents, the strategies to mitigate the consequences of privacy breaches after they happen are entirely neglected.

A privacy breach is a risk that has two components: probability and consequence. To effectively mitigate the risk, both of the components should be curbed. That is, we should not only try to prevent the privacy breaches, but also should have a plan to mitigate the negative consequences of such breaches in case they happen.

Unlike health care organizations, the banking sector has mastered the art of mitigating the consequences of privacy breaches. Immediately after the breach of credit card data, all affected consumers are notified, their old credit cards are frozen and new ones are issued. The process is so quick and efficient that consumers often face considerably less harm from a credit card data breach, especially because many credit card issuers now provide fraud liability coverage to their consumers and insure them against fraudulent charges.

On the other hand, the response of health care organizations to a data breach only consists of panic, mandatory reporting, and in some cases, provision of identity theft protection. Despite the fact that medical data breaches can be disastrous for patients, health care organizations have no viable strategy or technology to effectively reduce the negative consequences of data breaches.

To mitigate the consequences of privacy incidents, we should first know exactly how the breached data could be misused by hackers or unauthorized users; to block a road, one should first know where the road is located. Banks can often prevent hackers from using stolen credit card information simply because they are better versed in how hackers monetize that data, and thus have designed strategies to combat it. Despite the public concerns over health care privacy breaches, we do not know exactly why hackers are interested in stealing medical data or how exactly they monetize it.

In many cases, hackers aren’t really after health care data; they want patients’ credit card information, which due to poor information technology practices, is stored on the same network as many patients’ health records. Hacking the financial part of the data also opens the door to medical data.

In other cases, hackers want the medical data of one or a few individuals. As soon as a celebrity is admitted to a hospital, the hacking attacks on the specific hospital skyrocket. Many people are interested in such data and are willing to pay top dollar for it, which creates a strong financial incentive for hackers to try to steal the celebrity’s medical records.

While it is very easy to follow the money and figure out why hackers may be interested in getting their hands on the medical records of a celebrity or other specific individuals to commit insurance fraud, it is very difficult to imagine how a criminal organization may be able to monetize the medical data of say 655,000 Americans. There is still even a great deal of confusion about the value of stolen medical data in the black market as the range of reported value for one record of stolen data varies from under $1 to almost $500.

The first step to overcome this limitation and better protect patients’ privacy is to identify the incentives behind hacking attacks and classify all the possible ways through which the stolen medical data could be misused. Independent research institutes are uniquely situated to solicit the experiences of patients who have been the victim of medical data breaches and uncover the different ways through which hackers monetized the stolen data. The expertise and experience of law enforcement agencies such as the FBI’s cybercrime division or the Health and Human Services’ inspector general can also shed considerable light on other ways through which criminal organizations use stolen medical data to commit fraud.

We still have much to learn about why hackers go after medical data and how they monetize it. These government agencies could help us do just that.