Home Chasing Medical Big Data: Don't Overlook the Critical Risks of Information Security

Chasing Medical Big Data: Don't Overlook the Critical Risks of Information Security

May 10, 2016 08:00 CST Updated 08:00

Whether in China or the United States, internet healthcare is currently the most prominent sector for entrepreneurship and investment. Mercom Capital Group believes that telemedicine, big data analytics, and wearable devices will be the hottest areas for healthcare investment in 2016. We have also observed a growing number of U.S. insurance institutions partnering with healthcare providers and research organizations to leverage various internet technologies to optimize service workflows and enhance service quality. At the same time,Some people may not yet realize the Sword of Damocles hanging over their heads—the issue of medical information security.


In February 2015, Anthem, the second-largest health insurance company in the United States, announced that hackers had stolen the personal information of more than 80 million customers, including home addresses, dates of birth, Social Security numbers, and income data. This breach became the most severe medical information leak in U.S. history. In May 2015, CareFirst, an insurer under Blue Cross Blue Shield (BCBS), a federal healthcare service provider in the U.S., announced that the information of 11 million users had been compromised due to a cyberattack. In September 2015, Excellus, an insurance provider, was hacked, resulting in the leakage of nearly 10 million users’ information. According to statistics from the U.S. Department of Health and Human Services (HHS): over the past three years, while the number of medical information breach incidents affecting more than 500 individuals has not increased significantly, the number of people affected by these breaches has shown “explosive” growth. In 2015, medical information breaches caused by various reasons cumulatively affected an astonishing 110 million people, which is 2.7 times the total number of individuals affected in the previous five years combined, equivalent to one-third of Americans having their medical information compromised. In the first three months of 2016 alone, 51 breach incidents occurred, affecting 3.47 million people. X-Force, a research institution under IBM that has long focused on cybersecurity, will2015 was dubbed the “Year of the Healthcare Information Security Outbreak.”

幻灯片2.JPG


Here on the other side of the Pacific, we are also experiencing an explosive growth phase in the “Internet + Healthcare” sector. A multitude of healthcare-related mobile apps, websites, and other products have surged onto the market. Before delving into how much valuable medical service these numerous products can actually deliver to users, let us first focus on whether they can ensure the security of users’ personal information. On well-known domesticA search for the keyword “hospital” on the cybersecurity website “WooYun” revealed more than 600 vulnerabilities.One-third of the vulnerabilities were discovered and reported by “white-hat” hackers within the past two years. These security flaws range from deficiencies in hospital information systems to vulnerabilities on the websites of internet healthcare companies, covering nearly every aspect of the current internet healthcare landscape. The data breaches are alarming, involving large volumes of patients’ basic personal information and medical records. Even more concerning is that the vast majority of white-hat hackers who identified these vulnerabilities reported that the underlying technical issues were relatively rudimentary—errors that are rarely seen in other mature internet industries. This situation underscores the urgent need to enhance awareness and capabilities in medical information security protection in China.

360截图20160421161743150.jpg

Leak of Account Credentials for a Community Resident Disease Registration and Management System Exposes Large Amounts of Sensitive User Information


"A hospital's online follow-up system allows unrestricted registration and access to patient information." 

221735439f8eeafb9462a43e46a131c749960f2a.png


VCBeat identified the following three clear trends after summarizing and analyzing U.S. healthcare data breach incidents from 2010 to 2015:


Insurance Companies Have Become the Primary Source of Medical Information Leaks.Personal medical information is primarily leaked from three major types of institutions: health insurers, healthcare providers, and commercial partner companies. Data breaches involving commercial partners have shown a declining trend in both frequency and the number of individuals affected. In contrast, breaches at health insurers and healthcare providers are rising in both incidence and scale. Notably, given the vast user base served by health insurers, any data breach could result in "catastrophic" consequences.


幻灯片3.JPG

Hacking has become the primary direct cause of data breaches.The primary causes of data breaches fall into five major categories: hacker intrusions, improper handling by users, unauthorized access, loss, and theft. Over the past two years, incidents involving hacker intrusions and unauthorized access have increased significantly, surpassing theft to become the leading cause of data breaches. In terms of the number of individuals affected, hacker intrusions have also been the main driver of the rapid growth in breach-related exposures over the past two years.

幻灯片4.JPG

Servers are the primary channel responsible for massive information leaks.Information leaks primarily occur through the following channels: desktop computers, laptops, servers, electronic medical records, emails, and traditional paper records. Although incidents involving paper medical records are more frequent, the number of individuals affected is relatively limited. In contrast, server breaches account for 89% of the total number of individuals impacted, a trend correlated with the year-over-year increase in hacker intrusions observed previously.

幻灯片5.JPG

“Rome Was Not Built in a Day”: The Explosive Growth of Medical Data Breaches Stems from Within Healthcare and Insurance Institutions Themselves.


First, against the backdrop of the Obama administration’s vigorous promotion of healthcare information technology adoption, the proportion of U.S. healthcare institutions utilizing health IT systems has continued to rise in recent years, with inter-organizational data sharing becoming increasingly common. Healthcare information data is growing at a geometric rate, which directly increases the likelihood of data breaches.


Secondly, although U.S. healthcare informatics software represents the current state-of-the-art, severe software “fragmentation” exists both within and between healthcare institutions. Most software solutions were not designed with full consideration for potential security issues arising from future interoperability, leaving numerous security vulnerabilities. According to surveys, 41% of U.S. healthcare institutions do not encrypt medical data, and half are unable to effectively prevent or respond to information security breaches.


Furthermore, the departments responsible for information system maintenance in the vast majority of hospitals are understaffed. In the United States, 47% of healthcare institutions lack sufficient information security experts, compounded by a long-standing deficiency in effective information security training for medical personnel. These factors collectively increase the risk of information security breaches.


Compared to the three major internal factors mentioned above, external factors are now becoming the primary drivers of data breaches. Hackers have identified this as a reliable “revenue stream.” The methods by which hackers exploit healthcare information security vulnerabilities for profit can be broadly categorized into the following two types.First, directly “monetizing” the leaked information.On the black market, personal medical information is worth 50 times more than credit card information. This is because it contains various types of sensitive data, including patients' basic personal information, financial details, and health records. Criminals can exploit this information for fraud, extortion, and other illicit activities.Second, indirectly “monetizing” by exploiting security vulnerabilities.The primary method involves compromising hospital network systems through cybersecurity vulnerabilities to extort ransom from the hospitals. Currently, in the United States, a second, “indirect” approach is becoming a major security threat. The cybersecurity incident that occurred at Presbyterian Intercommunity Hospital in Los Angeles this February is highly representative. Hackers infiltrated the hospital’s network system using malware, encrypted files within the system, and rendered all electronic medical record (EMR) data inaccessible. They then demanded ransom from the hospital in exchange for the decryption keys. Although hospital officials stated that patient or employee data was not illegally exploited by the hackers, clinical staff were forced to rely on manual processes, significantly reducing efficiency. Patients were unable to access their online medical records and test results, compelling many to seek care at other facilities. After failing to restore the system through various means, the hospital had no choice but to pay the hackers 40 bitcoins (a virtual cryptocurrency valued at $17,000) to resume normal operations. For a hospital with more than 400 beds, paying a $17,000 ransom may not seem excessive. However, once this “closed-loop” model of profiting by attacking hospital information systems and demanding ransom matures, more malicious actors will inevitably target healthcare institutions.

幻灯片1.JPG

According to statistics from a U.S. software company named Royal Jay, becauseData breaches in healthcare cost the entire industry up to $6 billion annually, with each breach causing an average loss of $3.5 million for hospitals and nearly $400 for individuals.From the perspective of hackers, security vulnerabilities in health insurance institutions are “as numerous as ox hairs.” Simple penetration attacks can be used to demand ransoms, while electronic virtual currencies like Bitcoin enable concealed transactions, making it significantly more difficult for law enforcement to track and solve these crimes. For patients and healthcare institutions, financial losses incurred to mitigate information security breaches are merely the beginning of a “nightmare.” The most significant potential harm lies in hackers exploiting cybersecurity vulnerabilities to directly take control of medical devices, thereby jeopardizing medical safety and patient lives. Amidst the wave of “Internet Plus,” in an effort to acquire more user data, many traditional devices have been connected to the network. This is akin to adding numerous unlocked doors to an already fragile barrier.

幻灯片6.JPG


Rome was not built in a day; building the “fortress wall” of medical information security is a heavy responsibility and a long journey.


U.S. government agencies have begun collaborating with numerous manufacturers to strengthen cybersecurity defenses and mitigate escalating risks. In 2013, the U.S. Food and Drug Administration (FDA) issued a warning to medical device manufacturers, recommending that they assess the cybersecurity of their products. In October 2014, the FDA released guidance on cybersecurity features for medical devices, urging manufacturers to enhance device security to prevent exploitation by attackers. In 2015, frequent cybersecurity incidents involving various medical devices and health insurers drew even the attention of the U.S. Department of Homeland Security. In January 2016, the FDA published a draft guidance on cybersecurity for medical devices, which included a series of specific recommendations for enhancing device security. From the government to medical device manufacturers, health insurers, and healthcare institutions, all parties have adopted a posture of heightened readiness in the face of an imminent threat.


At this stage, we have only witnessed criminals exploiting cybersecurity vulnerabilities for financial gain. Sooner or later, we will see individuals leveraging these vulnerabilities to commit acts that endanger lives. This is the most chilling prospect of all. Although we are not cybersecurity experts, we would still like to offer some suggestions to healthcare institutions and relevant vendors here.Several Recommendations: 1. Do not overestimate your cybersecurity protection capabilities; 2. Strengthen employee cybersecurity training; 3. Consider collaborating with third-party professional institutions for cybersecurity infrastructure development; 4. Establish a comprehensive emergency response plan to address data breach incidents.


Prioritizing data security is prioritizing user safety.


In the future, tragedies similar to the previously mentioned cyberattack on Presbyterian Hospital in Los Angeles are bound to recur. While healthcare institutions and vendors strengthen their cybersecurity measures, they can only “pray” that they will not become the next target of hackers.


We welcome domestic companies specializing in healthcare information security to contact us and jointly explore strategies for safeguarding healthcare information.


VCBeat is continuously accepting submissions for its Hospital Digital Innovation Case Study Collection. For details, please click the image below.

图片1

签名.jpg