HHS Data, Hackers and Medical Records

HHS data relating to hackers and medical records is not always the best source of information on which to base decisions about how to assign security resources. However, proposals for Cyber Incident Reporting for the Critical Infrastructure Act (CIRCIA) could significantly improve the quality of data available to security professionals in the healthcare industry.

  • Why the concern about hackers and medical records?
  • How many medical records are hacked each year?
  • What other issues exist with the Data Breach Portal?
  • What are the consequences of using HHS data?
  • How might the quality of data soon be improved?
  • Conclusion: What should security teams do now?

Why the Concern about Hackers and Medical Records?

The concern about hackers and medical records exists because complete medical records are valuable commodities and therefore highly prized by hackers. Unlike credit cards, which can be stopped as soon as a fraudulent activity is identified, hacked medical records can be exploited time and time again – for example, to get medical services or prescription drugs, fraudulently bill insurance providers for treatments, or commit identity theft to obtain loans or other benefits.

The cost of these crimes is most often borne by healthcare facilities, insurance providers, and financial institutions. However, the crimes can also hurt individuals who have had their medical records hacked. This is because a further way of monetizing hacked medical records is to sell them to cybercriminals, who can leverage the information to blackmail victims or start phishing campaigns against them and their families.

The concern about hackers and medical records is exacerbated by the volume of medical records that can be hacked in a single breach. According to research conducted in October 2022, a data breach attributable to hacking yields an average of 98,762 medical records. Although these may not always be complete medical records, there is often sufficient information stolen for hackers to hurt the victims directly or indirectly.

How Many Medical Records are Hacked Each Year?

There is no way of telling how many medical records are hacked each year because the only public database of healthcare data breaches is OCR’s Breach Report. This database lists every reported breach or loss of unsecured Protected Health Information (PHI) in which 500 or more records are presumed to have been accessed without authorization, or in which 500 or more records have been out of the control of the notifying entity due to a ransomware attack.

While this database can be a useful source to identify trends in cybercriminal activity, it does not record data breaches affecting fewer than 500 records or data breaches affecting entities that are not covered by HIPAA (i.e., vendors of connected health apps). Consequently, there are hundreds of thousands of medical records stolen by hackers every year that are omitted from OCR’s Breach Report and not included in healthcare data breach statistics.

A further issue relating to hackers and medical records is how ransomware attacks are recorded. According to an HHS Ransomware Fact Sheet, whether or not a ransomware attack is a notifiable event is a “fact-specific determination”. Effectively, if a covered entity cannot demonstrate that PHI was definitely not compromised in an attack, it is a notifiable event. Consequently, some breaches will be reported as Hacking/IT incidents even when no medical records have been accessed.

What Other Issues Exist with the Data Breach Portal?

Other issues exist with the Data Breach Portal that can result in a misleading impression of activity by hackers and medical records theft. When notifying a data breach via the Portal, covered entities only have a limited number of options to explain how the breach occurred (Hacking/IT Incident, Improper Disposal, Loss, Theft, or Unauthorized Access/Disclosure). Many choose the first option on the list if the others do not apply, even though it may not be entirely accurate.

An example of the “check the first box” issue is one of the largest healthcare data breaches ever – the Premera Blue Cross breach in which the PHI of 10.4 million plan members was stolen. This breach will forever be recorded as a data breach attributable to a Hacking/IT Incident. However, the data breach was only possible because a Premera employee interacted with a phishing email that enabled hackers to install malware on Premera`s systems.

The shortcomings of the Data Breach Portal and the Breach Report are not the fault of HHS as the agency implemented what was required of it by HITECH §13402. Furthermore, HHS does not have the authority to require non-covered entities to notify data breaches nor the resources to determine whether every notified data breach actually involves an impermissible disclosure – or whether it was notified because the covered entity could not ascertain whether PHI was compromised in the event.

What are the Consequences of Using HHS Data?

The consequences of using HHS data to base decisions about how to assign security resources are that organizations assign resources to potentially inappropriate defenses against data breaches. For example, an organization influenced by healthcare data breach statistics that imply an increase in Hacking and IT Incidents may assign resources to strengthening network defenses and installing monitoring systems, when what may really be needed is improved resiliency against phishing.

The risk of misassigning resources can be mitigated by going into the Archive section of the Breach Report, where it is possible to click on a report of how each notification was resolved. The reports provide further evidence that many cyberattacks begin with a phishing email, and that many data breaches are attributable to a lack of internal controls (i.e., publicly accessible cloud storage volumes) rather than the malicious activities of an external third party.

According to OCR’s 2021 Report to Congress, in addition to the 609 data breaches that appeared on the Breach Report in 2020, OCR received a further 63,571 notifications of breaches affecting fewer than 500 individuals. This is significant because, although most healthcare data breaches statistics for that year state 67% of data breaches were attributable to Hacking and IT Incidents, the most common reason for a data breach in 2020 (of any size) was Unauthorized Access or Disclosure.

How Might the Quality of Data Soon be Improved?

The quality of data relating to hackers and medical records might soon be improved depending on what measures are implemented to comply with the requirements for Cyber Incident Reporting for the Critical Infrastructure Act (CIRCIA). Under CIRCIA, all healthcare providers and their service providers (whether covered by HIPAA or not) will be required to report the following events to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovery:

  • Any unauthorized access to systems.
  • Denial of Service (DOS) attacks that last more than 12 hours.
  • Malicious code found on systems, including variants if known.
  • Targeted and repeated scans against system services.
  • Repeated attempts to gain unauthorized access to systems.
  • Email or mobile messages associated with phishing (both successful and unsuccessful).
  • Ransomware against Critical Infrastructure, include variant and ransom details.

The reporting requirements being proposed include a description of the event, a description of the vulnerability responsible for the event (including human vulnerability), what security defenses were in place at the time to prevent/mitigate the event, the tactics, techniques, and procedures used by an attacker, and details of the compromised information. If these requirements are adopted, it will result in far more accurate and complete data about hackers and medical records thefts.

Conclusion: What Should Security Teams do Now?

Until such time as the requirements for cyber incident reporting are confirmed (a Notice of Proposed Rule Making is due in March 2024 and the Final Rule due by September 2025), security teams should assign resources according to the outcome of risk assessments and risk analyses rather than relying on healthcare data breach statistics compiled from potentially inaccurate and incomplete data.

Additionally, to prepare for the change in reporting requirements in 2025, security teams should get involved with the voluntary cyber incident reporting program run by CISA and the FBI. This program is not only used for compiling information about cyber threats, but also for providing help and support to enable healthcare providers to better respond to – and recover from – security incidents.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news