Because of the great amount of personal information involved, medical records command a high value on the dark web and can be listed for up to $1,000 each – 10 times more than the average credit card data breach record. Cybercriminals can then easily obtain this information and impersonate legitimate patients.
This is why digital identity verification is a key component of ensuring patient security. This is why all sectors of healthcare need to properly vet and verify their patients to ensure that they are who they claim to be.
Over the past decade, there have been more than 2,550 healthcare data breaches impacting more than 175 million medical records, according to the HIPAA Journal. That’s the equivalent of affecting more than 50% of the U.S. population.
Cybercriminals are more empowered
“What’s not commonly understood is that medical records command a high value on the dark web,” said Robert Prigge, president of Jumio, a vendor of artificial intelligence- and biometrics-powered digital identity verification technology.
“Given the scope of recent data breaches, including Dominion National, Quest Diagnostics and LabCorp, and the growth of the dark web and identity theft, cybercriminals are empowered to more easily impersonate legitimate patients,” he said.
In fact, the number of exposed records more than doubled year over year, from 5,138,179 records in 2017 to 13,236,569 records in 2018, according to the HIPAA Journal.
“Passwords and credential theft are wreaking havoc on cybersecurity. That’s why more forward-thinking organizations are replacing passwords and other shared secret authentication methodologies.”
Robert Prigge, Jumio
So what is the danger of identity theft in the healthcare industry? Medical identity theft is a lesser-known form of identity theft, but the consequences can be devastating. It not only affects the patient, but also has ramifications on healthcare providers and insurance companies.
“If fraudsters can secure the account credentials of legitimate patients, then they can perpetrate fraud on a larger, scarier scale,” Prigge said. “Medical identity theft occurs when a fraudster illegally obtains and uses a patient’s personally identifiable information, such as name, Social Security number, and/or medical insurance identity number, to fraudulently obtain or bill for medical goods or services.”
The black market
This kind of fraud also includes the unauthorized personal gain of insurance benefits, prescription drugs, employment, government benefits or other financial gain acquired through the theft of another individual’s PII. Hackers have also been known to sell stolen healthcare records on the black market.
“To combat this growing threat, healthcare organizations of all stripes need to properly vet and verify their patients to ensure that they are who they claim to be,” Prigge stated. “The growing number of healthcare records on the dark web mandate a different approach.”
Traditional methods of user authentication, especially the old username and password paradigm and knowledge-based authentication, need to be re-examined and, in many cases, scrapped in light of this looming threat, Prigge contended.
“With stolen credentials, cybercriminals can impersonate users or undertake phishing or credential stuffing attacks via account takeover,” he explained. “Passwords and credential theft are wreaking havoc on cybersecurity. That’s why more forward-thinking organizations are replacing passwords and other shared secret authentication methodologies with an approach that leverages one of the more under-appreciated technological advances many of us use every day – biometrics.”
Credential stuffing and account takeover
The healthcare industry is constantly under attack for credential stuffing and account takeover fraud, especially with increasingly connected medical devices. For example, Sutter Health, which serves more than 3 million patients, deals with countless cyberattacks daily. It was hit with around 87 billion cyberthreats in 2018 alone, Prigge reported.
Attacks on healthcare organizations are increasing every year. There are a variety of flavors, including:
- Hacking provider data to steal administrative paperwork — like medical licenses — to forge a doctor’s identity. This data sells on the dark web for around $500.
- Hacking an insurance company’s log-in information and then selling it to a buyer, who can then reset the credentials to the database and take a victim’s identity to claim insurance. This can effectively cripple a hospital’s access to patient records and other critical systems.
- Forging health insurance cards, prescriptions and drug labels with an intention to carry drugs through an airport.
- Using hacked personal health information against individuals who have health issues for extortion and other crimes.
According to a 2019 Carbon Black survey, 83% of surveyed healthcare organizations said they have seen an increase in cyberattacks in the last 12 months.
“It’s not just billing data that hackers seek from the healthcare sector,” Prigge stated. “Medical records on individual patients often bring top dollar on dark web marketplaces. The data can trigger identity theft, credit card fraud and much more. Stolen health insurance details can also be used to obtain free medical or dental care.”
Know Your Customer regulations
Healthcare provider organizations need to adopt identity safeguards, similar to the Know Your Customer regulations adopted by the financial services industry, Prigge contended. Know Your Customer regulations apply to just about any institution that touches money, he added.
“The basic premise is that financial institutions should know their customers by verifying identities, making sure they’re real, confirming they’re not on any prohibited watch lists, and assessing their risk factors,” he explained.
“By having customers verify themselves, these institutions can keep money laundering, terrorism financing and more run-of-the-mill fraud schemes at bay,” he said. “The key is finding a balance so that these efforts are effective without penalizing innocent consumers.”
In a similar vein, it is important for healthcare organizations to take a Know Your Patient approach, Prigge contended. This starts, for example, by adopting an online digital identity verification system that verifies a patient is who they say they are by comparing a photo of a patient’s government-issued ID to a live photo, he said.
“This allows hospitals, offices, clinics and pharmacies to approve or deny online accounts and attempted purchases,” he said. “After an online account has been approved, medical offices and pharmacies can approve future online prescriptions and treatment requests by requesting a new photo of the patient and using online identity verification technology to automatically compare it to the photo captured at enrollment to authenticate the patient.”
The actual patient, not a fraudster
This type of practical identity verification can help, for example, ensure that medications remain in the hands of the actual patients, he said.
But this type of identity verification can also ensure that prescription recipients are old enough to understand medication risks and will not misuse medications, he added. In hospital use-cases, by automating data capture during the initial patient intake, their identity can be securely confirmed in seconds, saving time and effort on patient enrollment, he said.
The daily drumbeat of large-scale data breaches should give healthcare CIOs and CISOs pause. The sad truth is that healthcare CIOs and CISOs often are under-resourced, under-staffed and lack the IT skills to defend against a myriad of sophisticated cyber threats, Prigge contended. That’s why hospitals and other healthcare providers are the perfect mark for this kind of online fraud, he said.
“But the good news is that other industries have paved the way with more reliable and easy ways of online identity verification and authentication,” he said. “Instead of relying on insecure passwords, some healthcare organizations are embracing password-less, biometric-based solutions to make sure their clients’ data and their own infrastructures remain secure.”
Many patients already use biometrics on smartphones
And many patients who are increasingly tethered to their mobile devices are already comfortable with biometric authentication, such as Apple’s fingerprint ID and facial recognition.
“Cybersecurity teams just need to ensure that all mobile devices across their organization can be leveraged seamlessly to authenticate to workstations, applications and physical access systems,” Prigge said. “Organizations can then remove the password from the log-in process by creating biometric authentication processes that mimic what users are used to with mobile devices.”
By identity-proofing patients upfront and then repurposing a face-based biometric, doctors and pharmacies can ensure that the patient of record is the patient receiving treatment or the desired prescription — not some imposter posing as that patient, Prigge concluded.
“Because this methodology is being deployed in production in other contexts, and prescribed as a best practice by analyst firms such as Gartner, there can be some peace of mind,” he said.