Difference between revisions of "Security of Protected Health Information"

Revision as of 23:20, 26 April 2022

Motivations for cyberattacks

ePHI is extremely valuable: The price of complete record of a single patient can be sold for 100s of dollars on the dark web ^[1]

Additional motivations can range from local political, foreign state-sponsored and terrorist: attackers may seek to disrupt critical human services as a form of political retaliation ^[2]

Cyberattack methods

Threat actors can intercept unencrypted or poorly encrypted data on improperly disposed of electronic media (hard drives, floppy disks, optical media) that contain ePHI. Actors can also plant malicious code onto network machines through email or web downloads^[3]

Social media can be used to conduct social engineering attacks – attackers may use information from social media pages to impersonate or trick healthcare providers into performing actions beneficial to the hacker (Nieles et al., 2017). ^[4]

The COVID pandemic has also heightened vulnerabilities as telemedicine and remote work added more ways into systems, such as through unsecured virtual private networks and compromised home work stations. It has also resulted in the furloughing of network security staff who can prevent and handle threats^[5]

Notable cyberattacks

Medical identity theft is one of the fastest growing crimes in the U.S., costing an estimated $30 billion a year and growing ^[6]. For the healthcare industry in 2020, ransomware attacks were responsible for $20 billion lost in impacted revenue, lawsuits and ransom paid, impacting over 600 hospitals, clinics and other healthcare organizations. ^[7] More than 1 in 3 health care organization globally reported being hit by ransomware in 2020 ^[8]

• The REvil hacker group performed a ransomware attack on the University Medical Center of Southern Nevada in which patient data was stolen.^[9]⁠.

References

1. ↑ Forensic Readiness. Journal of Medical Systems, 43(1). https://doi.org/10.1007/s10916-018-1123-2
2. ↑ Nieles, M., Dempsey, K., & Pillitteri, V. Y. (2017). An introduction to information security. Gaithersburg, MD. https://doi.org/10.6028/NIST.SP.800-12r1
3. ↑ Wilshusen, G. C., & Barkakati, N. (2012). Information security: better implementation of controls for mobile devices should be encouraged : report to congressional committees. Retrieved from http://purl.fdlp.gov/GPO/gpo33062
4. ↑ Nieles, M., Dempsey, K., & Pillitteri, V. Y. (2017). An introduction to information security. Gaithersburg, MD. https://doi.org/10.6028/NIST.SP.800-12r1
5. ↑ Weiner, S. (2021, July 20). The growing threat of ransomware attacks on hospitals. AAMC.
6. ↑ Phelan, J. (2012). Creating a Trusted Environment: Reducing the Threat of Medical Identity Theft. Healthcare Information and Management System Society, 29. Retrieved from https://risk.lexisnexis.com/cross-industry-fraud-files/docs/healthcare/Creating-Trusted-Environment-Reducing-Threat-Medical-Identify-Theft.pdf
7. ↑ https://illinois.touro.edu/news/the-10-biggest-ransomware-attacks-of-2021.php
8. ↑ Weiner, S. (2021, July 20). The growing threat of ransomware attacks on hospitals. AAMC.
9. ↑ McKeon, J. (2021, July 1). Hospital Ransomware Attack in Las Vegas Exposes PII. Health IT Security.

Submitted by Nikhil Kurapati