Thoughts about data breaches in the medical sector

In the recent IAPP dashboard, Ryan Chiavetta published a great article about data breaches in the medical sector and how the data is sold on the dark web (For the full article click this link)

This article tackles a crucial issue that’s been out of the spotlights for quite some time. In one of my previous positions, I worked at a cyber threat intelligence company. We used to see patient’s medical records being offered for sale all the time and while we understood the impact, the companies replied with a more “there is not much we can do” approach. The response varied between, “it’s terrible, but we don’t have the resources to deal with it and our management won’t add to our budget״ to “we don’t know what you’re talking about, it didn’t come from us, it must be a third party”.

At Prifender, we believe that we are witnessing the result of several problems that come from several disciplines:

1. Awareness – this is actually a multidisciplinary problem. “We are a hospital, no one is interested in hacking us” is still a phrase that we hear quite too often. Ryan’s article stress that this is not the case anymore, and I can add that it’s been this way for a while now. While credit card companies have multiple automatic polices in place to alert if there is even a mere suspicion of a theft and insurance in place to cover the user, health care companies store way more data and lack all of the above.
Under this category we also have the budget issue, lack of awareness and understanding leads to small allocation of budgets to the privacy and security departments.

2. Data mapping and data transfer- Data location in general and PI specifically is a difficult challenge. With data abundance and multiple systems, privacy officers, at times, don’t know where that data is located. Not knowing where data is makes protecting it a mission impossible.

Data transfer is also a huge problem. Various departments within a health care provider share information with third parties, and in some cases do so without CPO’s permission or knowledge. If a third party was breached, it doesn’t take off responsibility from the organization that shared the data. Health care companies must integrate technologies that map sensitive data in their organization and monitor data movement.

3. There is Cyber Security and there is Privacy- Although the two are related somehow, they must be addressed differently. If an organization has a CISO, it doesn’t necessarily means that they deal with privacy. Privacy requires different tools and methodologies than cyber security. And while security professionals are trained to deal with cyber related issues, they do not necessarily have the tools and skills to deal with privacy. Yes, there are cases when the two overlap but they are definitely not the same. Cyber security technologies in most cases are not privacy oriented and can’t answer privacy needs. Yes, it also means that separate budgets are needed…

To sum it up, data breaches in the health care sector have been happening for a while now and they won’t stop. Medical records are of huge interest and of great value for cyber criminals since they hold a great amount of personal information. Organizations must understand that they are being targeted all the time and it’s not a question of “if” but a “when”.

Medical providers must take proper measures by hiring security AND privacy professionals and by integrating relevant technologies. I know that showing ROI is close to impossible when it comes to privacy or security, but no organization wants to be the center of an investigation when they are hit and thousands or even millions of patient records are stolen and offered for sale in a new thread in an underground market.