A new report shows 1 in 3 Americans have been hit in health care data breaches, with more attacks to come. What can we do about it?
Get ready to receive hospital bills for surgery you never had, drugs you never took, and medical devices you don’t need and didn’t order.
A new report shows 2015 was the year attackers discovered the “easy button” for hacking into health care companies and stealing your information. The consequences can last a lifetime.
The report from Bitglass says 68% of health care data leaks in 2014 came from stolen or lost devices—like laptops left in cars. About 1.8 million people were affected.
In 2015, the numbers changed dramatically. Hackers took 98% of the leaked health care data, totaling more than 110 million records, or one out of three people living in the U.S., the report said.
“I think the data breach issue has ‘jumped the shark,’” said Steven Parker with Archer Security Group. “By now, pretty much anyone in the U.S. has likely had their key identity information compromised.”
How do they do it?
The attackers get in by tricking you with fake e-mails and fake websites, the report said.
The bad guys created sites with domain names like “prennera.com” for the Premera health care breach, and “we11point.com” instead of wellpoint.com for the Anthem breach.
Some employees who received the fake e-mails went to the fake sites and entered their usernames and passwords, giving the attackers full access.
Some cybersecurity experts say this kind of attack is too easy.
“We have to find better ways to authenticate people than relying on the secrecy of non-secret information,” said Parker.
Multi-factor authentication
This is a term you may come to know well, and either love or hate.
Multi-factor authentication can protect against these kinds of destructive hacks, according to some security experts.
“Most of the successful authentication attacks are against single- or zero-factor authentication systems,” said Jim Feely with Archer Security Group. “Passwords are a good example of single-factor authentication.”
He gave an example of multi-factor identification—instead of just logging in with your password, you would have to get and enter a special code you get on your phone.
“On the low end of cost, text messages with unique codes can be sent to a cell phone with the idea that only the owner of that particular phone number will have access to the phone,” said Feely.
Hate it
Two-factor identification has caused an outcry among students at Virginia Tech. Almost 800 people have signed a petition asking the school to get rid of the newly implemented security plan.
“This sucks,” wrote one petitioner.
“Take it down!” cried another.
“This login system is more obnoxious than people saying Peyton Manning had a significant role in the Broncos AFC Championship win,” wrote a third.
The security plan went into effect for many school platforms on at the beginning of January, reported the Collegiate Times.
Virginia Tech had a data breach in 2013, the school announced, and attackers accessed information belonging to 145,000 people who had applied for jobs.
“It is worth noting that two-factor authentication places some, but we believe minimal, continuing burden on a user but with no real gain in functionality that directly benefits the user,” the school’s Chief Information Officer, Scott Midriff, wrote in a memo to students and staff in November.
“However, two-factor authentication substantially reduces the likelihood of unauthorized access to sensitive information and important systems, thus reducing the time and money spent on remediation after a data breach as well as reputational loss,” he said.
“And, given the current and future cybersecurity threat environment, the single password is simply no longer sufficient as the only means for authentication,” he added. “Many universities have moved or are moving to two-factor authentication.”
How it works at Virginia Tech
The university describes ways students can use two-factor identification on its website.
It says they can use smart phones, cell phones, landlines, tablets or “tokens”—a physical device that you carry with you that, combined with a PIN, allows you to log in.
For example, you can use a mobile app to get a special log-in code, whether or not you have connectivity.
You can also get a text message with the code.
Or you can get a phone call, and an automated voice will tell you to press a key on your phone. Then you are logged in.
There are other options as well.
The site says you can call a helpline if you have any problems or have lost your device.
All this drives some students crazy.
“I lost my phone and fortunately found after 2 days,” wrote one on the petition site. “I couldn’t access scholar, canvas or hokie spa. The only way to overcome the problem was to call the helpline. How could I?”
At hospitals
Many hospitals are not using multi-factor identification to protect your information, according to a report in November.
The Office of the National Coordinator for Health Information Technology report says about 50% of hospitals have the capability to use it, potentially leaving some patients at risk.
The numbers vary from state to state.
Just 19% of Montana hospitals have the capability. But 93% percent of Ohio hospitals come through.
Two-factor identification for sensitive patent information databases is one of the key points for heath care security, according to cybersecurity company Forrester, as reported by CNBC.
“When it comes to preparedness, they’re woefully behind and that, to me, is the most concerning thing,” Forrester analyst Stephanie Balaouras said in the article.
Effects
Medical information is worth far more than credit card information on the black market. And the effects can last much longer.
A Wisconsin man was trying to buy a house when he learned he had an unpaid medical bill on his credit report, reported WTMJ in Milwaukee. It was for heart procedure—a procedure he said he never had.
“‘It’s not me,’ and that’s all I could keep saying,” Craig Murdock told the station. “I had no clue, at all, and for me that was the biggest shocker.”
He said he ended up paying the $1,500 bill.
“I could never go ahead and pin it down and get it erased from my credit,” he said.
Some health care identity theft victims can’t get the information erased from their medical records, either, and it becomes a part of their permanent file.
Help & change
Some health care organizations are taking notice.
Two national groups are coming together to work on security issues, now that attacks have “reached epidemic proportions,” according to Healthcare IT News.
The Electronic Healthcare Network Accreditation Commission and the National Health Information Sharing and Analysis Center have signed an agreement to improve prevention and recovery.
“There is an urgent need to increase awareness and identify means of prevention for the seemingly endless string of headline-grabbing cyberattacks this past year,” said Lee Barrett of EHNAC in the article. “The unfortunate fact is that hacks have increasingly become a part of digital life—and no person or organization is immune.”
If you do become a victim, there is new help from the Federal Trade Commission, a new site that allows you to report the crime and get a recovery plan.
For some, it may come down to the “hassle” of multi-factor identification versus the hassle of dealing with identity theft—medical or otherwise—and deciding which is worse.
Some may have already made up their minds.
“I HATE THIS,” announced one Virginia Tech petitioner.
And another, “GET YOUR 2 FACTOR AUTHENTICATION NONSENSE OUT OF MY LIFE.”