1(630)802-8605 Ravi.das@bn-inc.net

Well, for those of you Obama Care, open enrollment is actually going on right now.  There is exactly one month left, as the door closes on this on December 15th, depending upon the time zone that you are in.  This is one my least favorite things to do. 

I do have to admit that the Customer Service Reps at Healthcare.gov are very nice and very helpful, provided that English is their native language.  But it can take up to 3 hours just to initiate the reenrollment process and get health coverage for 2020.

At least that is how long it took me to get it for me and my significant other.  There are just so many moving parts to it, I wish the process was just more simplified.  But hey, at least we have affordable healthcare insurance, and for that, I am grateful for it. 

The CSR even told me that if I wanted to expedite the reenrollment process online, but I told I her refused to, because of security issues.  I told her I would rather talk to a live agent with whom I have a higher level of trust with.

So, I am sure you can now guess where this is all leaded to?  Today’s topic!!!  Yep, that’s right, security in the healthcare industry.  This market segment, when compared to the others, is probably one of the most regulated and watched, primarily because of the mandates and fines that are imposed by HIPAA.  A lot of it has to do with how patient health records are accessed, who accesses it, and the kinds of authentication mechanisms that are in place for all of this to happen.

But there is a lot more at stake here than just mere credit card numbers.  There are the Social Security numbers of patients, all of their Personal Health Information (PHI), etc.  Given the covert nature of the Cyberattacker, patients, which even include you and me, are at risk for all sorts of breaches, even including Identity Theft and even impersonation. 

These are the worst kinds of attacks, as very often, it is too late to do anything once we have discovered that we have become a victim.  And, trying to reclaim our identity could even take years.

But, despite the stringent measures that have been out forth by HIPAA, the healthcare industry is still finding itself in the prime cross hairs of the Cyberattacker.  This at least according to the latest market research survey that was conducted by a Cybersecurity firm known as Carbon Black.  Their study is entitled the “Healthcare Cyber Heists in 2019”, and it can be downloaded from this link:

Here are some of the major findings of it:

*A staggering 83% of the CIOs and CISOs in the healthcare industry have claimed that their businesses have been the victim of a major security breach;

*There is an average of 8.2 Cyberattacks that are hitting the major healthcare players on a monthly basis;

*There has been a 66% increase Year Over Year (YOY – from 2018 to 2019) in the total number of Cyberattacks that have occurred;

*33% of the Cyberattacks have occurred because of some sort of vulnerability or gap that was existing in the Network Infrastructure.  Thus, this created a backdoor for the hacker to get into;

*The primary intent in 45% of these attacks was the sheer destruction of the PHI of the patients that were the victims in these breaches.

But keep in mind, once all of the medical records have been stolen, that is not the end of the story.  Remember, one of the primary objectives of the Cyberattacker is financial gain.  So how do they get it once all of this information and data has been hijacked?  Through the Dark Web of course, which has been deemed as the “Underworld” of the Internet.

So, what are the most the most in demand items on the Dark Web, as it relates to Personal Health Information (PHI)?  Here is a sampling:

*Provider Data:

This is mostly the paperwork that can be used to impersonate the identity of a doctor.  Once this is sold and bought on the Dark Web, the Cyberattacker can then file false insurance claims, or even file claims for high end surgeries (such as that of open-heart surgery).  In this instance, the Cyberattacker can profit by taking the cash, leaving the rest of the costly expenses to the victim.  This kind of PHI sells for about $500 per record on the Dark Web.

*Health Care Portal Login Credentials:

This is where the Cyberattacker steals the login data from the victim (primarily the username/password combination) and sells it on the Dark Web for a very low price, even as low as $3.25 per record.  The primary reason for this is that this kind of theft is considered to be high volume in nature, and once the buyer has purchased this information from the Dark Web, they will immediately login into the portal accounts of the victims in order to access all of the PHI that they can, before the login credentials been changed.  Heck, even the theft of medical insurance data is popular here, as the hacker can use that also to file fake claims under the identity of the victim(s).

*Prescription Labels:

Yes, even forged prescription labels can be sold and bought on the Dark Web.  This can then be used for illegal drug trafficking, and if they are intercepted by law enforcement, the Cyberattacker can always show this forged prescription to get off the hook.

*Other forms of Private Medical Data:

As it has been stated in this blog, this is also referred to as the PHI of the patient.  This is also a prized, crown jewel on the Dark Web, as the value of this can be 3X more than that of the Personal Identifiable Information (PII) which is often heisted in other Cyberattacks.

My Thoughts On This

Whether you believe this or not, according to the survey by Carbon Black, 84% of the CIOs and CISOs claim that their respective organizations actually provide regular security awareness training for their employees, at least once per year.  About 45% of the respondents said that they provide this kind of training at least 2X a year.  IMHO, this should be offered at least once a quarter.  Amazingly over 33% of the CISOs and CIOs grade their current levels of Cyber Hygiene with a “C”.

All I can say is, wow.  One would think that after the Quest Diagnostic Labs security breach, which impacted over 12,000,000 patients, that the C-Suite would be much more proactive, but apparently, they are not there yet, and in my view, it is doubtful that they ever will. 

I actually have experienced a security breach at a healthcare organization.  I was a contract tech writer for BCBSIL in downtown Chicago, and in during my stay there, they experienced an attack on their Single Sign On (SSO) systems.  That blew my mind away completely.

I am not going to repeat the standard laundry list of what a healthcare organization should do to protect themselves from a Cyberattack, but here are a few items to consider:

*Establish more endpoint security:  This is often overlooked by Corporate America, and because of that, this is a much-cherished backdoor for the Cyberattacker to enter into.  By securing these areas, this just closes off one more avenue for the Cyberattacker to penetrate into.

*Consider the use of Artificial Intelligence:  This can be a great boon for any healthcare organization, as this tool can be used to automate routine Cybersecurity tasks, and filter through all of those alerts and warnings that have some merit to them, so that they can be appropriately triaged and responded to.

*Always back up your data:  Since data destruction and/or the theft of it for financial gain seems to be the primary goal of the Cyberattacker, always keep a backup, both offsite and onsite.  This will be of paramount importance, especially if your organizations are hit by a Ransomware Attack.

Finally, for the average American selecting a healthcare plan through Obama Care, be very careful of Robocalls and Phishing Emails.  I just got one last week.  Just after we enrolled into the new healthcare plan for 2020, a few days later I got an Email claiming to be from BCBSIL that they have updated our records.  But upon closer look, this is was a Phishing Email.  The clues?  Mismatches in the links, and misspellings in the subject header.

Be very careful of these kinds of Email just after you enroll, and even afterwards until open enrollment is completely over.