Why Do Cybercriminals Target Health Care Facilities?

Big data and data science are being leveraged in modern hospitals and doctors’ offices to support all sorts of public health and scientific initiatives. Even mental health systems are beginning to see the benefits of collecting and analyzing more patient data.

This means health care centers are becoming major hubs for sensitive personal information. Cybercriminals are disproportionately targeting health care facilities because of the valuable data thieves can obtain. 

Understanding the motivations of a cybercriminal can help you mitigate the risks. This guide takes a closer look at why cybercriminals target health care facilities and what people can do to protect themselves and their valuable information.

A medical record is a treasure trove of personal and sensitive information. The Health Insurance Portability and Accountability Act (HIPAA) classifies patient information, including Social Security numbers, date of birth, contact information—such as email addresses, home address and phone numbers, credit card information and account numbers and beneficiary information—as protected health information (PHI).

Cyberthieves are targeting medical records and health care facilities for PHI. Here are the top three reasons:

PHI is worth money on the black market. According to CBS News, “full medical records can command up to $1,000 because they’re an identity thief’s dream: date of birth, place of birth, credit card details, Social Security number, address, and emails.” A hacker or criminal may be able to buy a Social Security number on the dark web, but without other identifying information, the number may not be useful.

Cybercriminals may not always sell stolen records on the dark web because they can make more money off of hospitals and medical facilities in other ways. Hackers can install ransomware on computer devices that can be controlled remotely by the hacker. They can lock up access to computers and servers to coerce medical professionals to pay to regain access to their computers and medical record systems.

Medical records often include extremely sensitive information such as Social Security numbers, dates of birth and contact information. This can be used to fraudulently open new bank accounts or get loans or credit cards in the individual’s name. Fraudsters can also use PHI to get medical care in another person’s name, sticking an unsuspecting victim with a hefty medical bill, higher insurance premiums, and a negative credit report.

Ultimately, health care facility networks are increasingly targeted because they can be easy to infiltrate. Not all medical facilities have the budget to invest in the latest security software and computer equipment. Many institutions use home-based or legacy operating systems and insecure internet browsers.

In many cases, health care practitioners are not data science experts or cybersecurity specialists, and may not have robust data governance protocols in place. Their focus is on saving the lives of patients, not worrying about the safety of their computer systems and networks. Further, health care professionals must access many different applications during work, and each could pose a risk.

Just as health systems are increasing their collection of and reliance on digital health information, they are becoming aware of the risks and responsibilities this data can bring. With awareness comes the opportunity to safeguard systems.

The need for better data management in doctor’s offices and health systems provides one potential application for data science degree programs to supply professionals capable of securely gathering and organizing data. Data scientists trained in analytics and cybersecurity best practices can help health systems leverage data while preserving security and patient privacy.

As the patient whose information is at risk, you don’t have to wait for your medical practitioners to tighten up their security. You can protect yourself (and your information) in the following ways:

Know your rights about what information you must provide and avoid providing more than you need to. Your Social Security number, specifically, should not be shared or provided unless it is mandatory.

VA hospitals and insurance companies will require your number, but you’re under no obligation to provide your number to health care providers. As for other information, such as credit card numbers, a medical office should not keep a photocopy or written record of your full credit card number. For a medical office to be PCI compliant, cardholder data must be rendered unreadable.

If you’re uneasy about how your medical records are kept, don’t be afraid to ask your doctor’s office how they handle and protect your personal information. In some cases, the doctor’s office may put your worries at ease.

If the office doesn’t provide you with a satisfactory answer, you can limit the amount of personal information you provide or, if you are really concerned, consider changing your doctor.

The Explanation of Benefits (EOB) statement is mailed by your health insurance company to explain what health services and medical treatments were paid for on your behalf. Review your EOB carefully—you may find treatments you don’t recognize, which may be fraudulent services. This could mean someone used information connected with your identity to access medical services.

In addition to reviewing your EOB, checking your medical records could uncover services and treatments in your name that you never solicited or received. 

Entering your sensitive information online isn’t recommended. There are too many vulnerabilities online as your data travels between your home network and the health provider.

Your home network or computer may have spyware installed, which monitors and records your keystrokes. Your internet connection itself may not be secure. If you have to provide personal information, it’s best to present it in person or over the phone, if you’re sure who you are speaking with.

The Fair Credit Reporting Act (FCRA) provides you with access to a free annual credit report. Be sure to check it every year to watch for any unusual accounts you don’t recognize or medical collections for treatments you never received.