Healthcare Data Breaches Have Grown 125 Percent in Five Years

By | May 26th, 2015|Breach, Uncategorized|

Healthcare BreachThere has been a noticeable uptick in the number of criminal attacks against healthcare facilities in the last five years. Ponemon recently released its Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, which shared a 125 percent increase in cyber attacks targeting healthcare data. The major shift in healthcare data breaches, according to the study, is that cyber criminals are intentionally targeting and exploiting healthcare data rather than accidentally coming across it during their exploits.

This shift in active pursuit of healthcare data shows that cyber criminals understand the value of healthcare data on the black market. Through our recent research, we have found that a medical identity, which includes a name, address, Social Security and health ID numbers, sells for $50 on the black market. A Social Security number sells for $1 and an active credit card sells for $3. A major contributing factor to the increase in healthcare breaches may also be due to the shift to digital healthcare records. Starting this year, healthcare facilities that do not show “meaningful use” of electronic health records are penalized, causing facilities to scramble to put records online.

The healthcare industry is a green market when it comes to following best security practices, which is why we’ve put together the top three ways healthcare organizations can keep their patient records secure:

  1. Educate employees. The most important part of having a secure network is making sure your employees are compliant with security standards. Educate employees on how medical identity theft happens and what to do from a HIPAA standpoint to keep patient data safe.
  1. Track, encrypt and password-protect mobile devices. Employees are connected via mobile devices more than ever, whether or not you have a formal BYOD policy. Be sure to create a policy that puts strict limits on how patient data can be viewed and shared on devices.
  1. Create an identity crisis response plan. If your healthcare data is breached, make sure to have a crisis plan in place, including communication with patients. Maintain the plan by training staff on relevant policies and procedures.

Are you surprised by the value of medical identities on the black market? How else can the healthcare industry get up to speed on best security practices? Let us know what you think on Facebook, Twitter and LinkedIn.

Proving Your Identity At The Doctor’s Office: An Imperfect System

By | October 29th, 2014|Uncategorized|

Financial InstitutionThis guest blog post comes from Dr. Suzanne Barber, Director of the Center for Identity at The University of Texas at Austin. You can learn more about medical identity theft in our recent webinar on the topic, or check out our corresponding whitepaper and infographic.

When you’re sitting in the waiting room at the doctor’s office, you often have a lot of worries—your diagnosis, the long wait, or simply trying to avoid catching a cold from the patient next to you. One concern that doesn’t often cross our minds is whether or not a thief is sitting in another doctor’s office halfway around the world, pretending to be you.

By 2015, as part of the Affordable Care Act, most medical providers will need to meet implementation requirements for electronic medical records. This means that most doctors’ offices and hospital systems will need to give up their old paper charts for electronic charts. Known as electronic health records (EHR) or electronic medical records (EMR), they include not only the digitized records themselves, but also the methods used to exchange information and patient data between different providers, labs, hospitals and pharmacies

While the possibilities are great for increased coordination and accountability within the healthcare field, the move to EMR does leave sensitive medical information at a higher risk for identity theft and data breaches. This could mean more criminals using your health insurance for themselves or worse, using sensitive health information about you to inflict other types of damage. As consumers and patients, we need to keep a few basic questions in mind as the healthcare industry undergoes this change.

The first question we should ask is “What information is being collected about me?” While many of us blindly fill out forms—at the doctor’s office or the PTA sign up table—information about us is actually quite valuable. We have the right to ask questions about why or who will use that information, particularly when it is about sensitive topics like our health. Public health officials, researchers and insurance companies all have an interest in gaining new insights into health trends and effective treatments. But information that we choose to share in a doctor’s office should directly benefit us as patients. It’s okay to ask whether a question or a blank in a form is needed to provide you with better care or whether it is only helping an insurance company determine their costs and reimbursements. The decision of how much to share is always ultimately the patient’s to make.

As health information moves from paper to digital storage, it can be more easily hacked. As patients, we should understand where our information is stored and where it is sent. The burden of data storage for EMR is on medical practitioners, many of which are small business owners. Are they prepared? Do they have the infrastructure, security measures and properly trained staff to manage the data? We can—and should—hold them accountable for how well they protect our EMR. Our medical providers must protect our information as well as our health.

Finally, as patients and consumers of healthcare in the United States, we should determine whether the system we have is the one that serves us best. Currently, patients have little or no control over their own health records. Charts, data, test results, prescription requests, immunizations and confidential doctors’ notes live in myriad places—online and offline, in our own country and in data centers beyond our borders. Is there a future where patients themselves could store and secure their own data? That day may not be far off, as consumers grow increasingly frustrated with security lapses and data breaches. According to the U.S. Department of Health and Human Services, in just the past two years, more than 8 million people have been affected by the breach of unsecured health information.

As we as a society begin to better understand the value associated with our personal information, consumers may begin to demand more transparency about how their sensitive information is managed and secured. When this information is some of our most basic health data, patients may make buying decisions based on how their personal information is protected. Whether it is the insurance company, hospital, pharmacy or doctor’s office, as records go digital and record sharing happens at the click of a button, patients have more to consider than just the care they receive.

News Recap: Ebola Phishing and Malware

By | October 24th, 2014|Uncategorized|

PhishingEbola has caught the attention of consumers, the media and now cyber criminals. According to ZDNet’s Violet Blue, the United States of Computer Emergency Readiness Team (US-CERT) sent an alert for consumers to be on watch for email scams involving Ebola news as phishing bait. The alert stated, “Phishing emails may contain links that direct users to websites which collect personal information, such as login credentials, or contain malicious attachments that can infect a system.”

HelpNetSecurity’s Zeljka Zorz found that Hoax-Slayer compiled a list of Ebola-related phishing schemes. Fahmida Rashid from PC Magazine shared a list of subject lines email users should ignore, including: “Ebola Safety Tips-By WHO” and “HEALTH NEWS: Secret Cure for Ebola?” Rashid shared New York State Attorney General Eric Schneiderman’s warning about online cyber tricks: “Scammers are shamefully exploiting this moment of heightened concern about public health to defraud good people,” he said.

Not sure what to look for in a phishing scam? Rashid advises not to fall for “product pitches claiming a secret, miracle cure.” Fake products for sale can lead to cyber criminals stealing credit card numbers, she reports.

Why do cyber criminals take advantage of national public concerns? How can consumers identify phishing emails and what should businesses do to educate employees about avoiding phishing scams? Let us know your thoughts on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

cyberSAFE Webinar Series Recap: Looking for a Cure for Medical Identity Theft

By | October 21st, 2014|Uncategorized|

Medical ID Theft InfographicWhile stories about large-scale financial and retail breaches are making headlines on a regular basis, it is medical identity theft that should be taking center stage. Why? In 2013, the healthcare industry experienced more data breaches than ever before, accounting for 43% of all breaches that year.

In the most recent edition of our cyberSAFE webinar series, Ann Patterson of Medical Identity Fraud Association (MIFA) and Dr. Marie-Helen Maras of John Jay College of Criminal Justice, along with CSID’s own Bryan Hjelm, discussed the latest on this topic.

They addressed the trends in medical identity theft, implications for healthcare organizations and patients, and provided recommendations for how the industry – as well as consumers – can make secure changes moving forward. The panelists also took a look at CSID’s findings from our recent survey of healthcare organizations. Watch a recording of the webinar below and read our whitepaper for survey findings and analysis.

Our survey found that most small healthcare facilities are unprepared for data breach. While healthcare breaches are on the rise, most small healthcare facilities feel that their systems adequately limit the risk of a data breach – yet one in three facilities spends less than 10% of their IT budget on protecting patient data, and less than a third (28.6%) have a crisis plan in place in the event of a breach.To better protect patient data and secure their systems, healthcare facilities of all sizes should focus on the following:

  • Educate employees and partners
  • Install and maintain anti-virus software
  • Track, encrypt and password-protect mobile devices with access to patient data
  • Audit and vet third party vendors that will have access to patient data
  • Implement multi-factor authentication requirements across the organization

We encourage you to check out the corresponding infographic, watch the webinar recording below and read the whitepaper. If you have any questions or comments for us, you can always reach out to us via Twitter and Facebook. Find out more about CSID’s cyberSAFE webinar series and watch previous recordings.


A Look Inside Electronic Medical Records

By | October 16th, 2014|Uncategorized|

EMRMedical identity theft is not a new topic; however the rise of the amount of cases in the healthcare industry is starting to cast a shadow on the healthcare industry. According to the Identity Theft Resource Center, medical identity theft accounted for 43 percent of all identity theft cases in 2013. Additionally, the FBI recently warned that cyber criminals are targeting the healthcare industry due to lax systems in place.

As the date for healthcare facilities to implement electronic medical records quickly approaches, we wanted to dive into the topic and explore what electronic records means for the healthcare industry.

In 2009, the American Recovery and Reinvestment Act granted financial incentives for healthcare providers who put EMR into “meaningful use,” i.e. using electronic filing systems, medical billing systems and transcription services for example. As of January 1, 2014, healthcare facilities have one year to abide to the Federal Mandate for Electric Medical Records (EMRs). Since the start of the 2014, private healthcare providers had to adopt EMR to maintain their Medicaid and Medicare reimbursement levels, according to the University of South Florida’s College of Medicine.

According to the Office of the National Coordinator for Health Information Technology, “nearly six in ten (59 percent) hospitals have adopted at least a basic electronic health records system… [representing] a five-fold increase since 2008.” As more medical facilities adopt electronic health records, the entry point for cyber crime increases, putting consumers and facilities at risk.

How to safely implement EMR:

  1. Educate all staff – not just the IT department – on the use of EMR. It’s important for all employees to understand the sensitivity of the data they are dealing with on a daily basis. Put policies in place to protect EMR and enforce those policies.
  2. Evaluate your BYOD policy. There are already many entry points for cyber criminals to access sensitive patient information. Make sure your employees’ personal devices are not one.
  3. Treat EMR as a facility-wide adoption. The IT department has a heavy role in protecting EMR, but the medical facility is only as strong as its weakest link. Help create a culture of security at the facility.

What are some additional best practices for medical facilities to consider as they implement EMR? Let us know on Twitter, Facebook or LinkedIn.

Celebrate National Cyber Security Awareness Month by Protecting Your Health Information

By | October 8th, 2014|Uncategorized|

NCSAMThis guest blog post is a part of our cyberSAFE blog series focusing on medical identity theft and health IT topics. It comes to us from Kara Wright, the Digital Media Coordinator for the National Cyber Security Alliance. She assists the operation and development of the STOP. THINK. CONNECT. and National Cyber Security Awareness Month campaigns and works with other NCSA staff to increase the campaigns’ footprint and reach and social and digital properties.

October marks the 11th annual National Cyber Security Awareness Month (NCSAM), which aims to ensure that every American has the resources needed to stay safer and more secure online. Healthcare organizations are constantly advancing in technology, and because they handle sensitive patient information it is especially important for health organizations to have strong cyber security practices. This NCSAM is a good time to remember the importance of and the relationship between cyber security, online safety and health IT.

Cyber criminals become more sophisticated every day, as evidenced by the growing numbers of data breaches affecting major companies, and it is important for all individuals and organizations to look at ways they can protect themselves and their information.

One area of cybercrime that impacts healthcare providers and patients in particular is medical identity theft, which occurs when a thief uses someone’s name or health insurance numbers to see a doctor, get prescription drugs, file claims with his or her insurance provider or get other care. This type of identity theft could impact a victim’s treatment, insurance and payment records and credit report. The Federal Trade Commission website has information on how to detect identity theft, correct mistakes in your medical records, protect your medical information and check for other ID theft problems.

If you believe you have been the victim of identity theft or if you want to learn how to protect your identity and personal data, you can visit the Identity Theft Resource Center for tips, resources and toll-free assistance. Additionally, NCSA’s ID Theft and Fraud page lists a number of great resources for reporting cybercrime and accessing victim resources.

Follow these tips to help protect your personal information:

  • Secure your accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you to verify who you are before you conduct business on their sites.
  • Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.
  • Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals.
  • Write it down and keep it safe: Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer.
  • Own your online presence: Set the privacy and security settings on websites to your comfort level for information sharing when they are available. It’s OK to limit who you share information with.

For additional tips, resources and other ways to help secure your data, visit the STOP.THINK.CONNECT. website.

Have a great NCSAM 2014! For more information about the month and how you can get involved, visit

#cyberSAFEchat: Let’s Talk Medical ID Theft and Health IT

By | October 3rd, 2014|Uncategorized|

Back to SchoolMedical identity theft is a growing risk for patients and the medical industry. Ponemon Research found that in 2012 and 2013, 90 percent of healthcare organizations exposed or lost patient data. The industry has seen more than 200 breach incidents in 2014 alone. And to top it all off, medical identity theft victims estimate the value of medical services stolen in their names at $29,464 per incident.

To help shed light on the increasing risks and consequences of medical identity theft, we are hosting another edition of #cyberSAFEchat. In this chat we will explore trends in health IT and tips businesses and consumers can utilize to protect themselves from medical identity theft and recover as quickly as possible if they become victims.

Join us Monday, October 20th at 1 PM CT with co-hosts Medical Identity Fraud Association (MIFA) and the UT Center for Identity. The hour-long Twitter chat will address the following key questions:

  • What is medical identity theft, how does it happen and why?
  • What impact does medical identity theft have on consumers and organizations? What happens to an identity once it is stolen?
  • Any examples of medical identity theft? How did it happen and how did it affect the victim?
  • How can consumers and organizations prevent and mitigate the impact of medical identity theft? What are some best practices?

To participate in this #cyberSAFEchat, all you need is a Twitter account. You can follow the hashtag #cyberSAFEchat on Monday, October 20th from 1 to 2 PM CT and tweet your questions and comments to the group by including #cyberSAFEchat in your tweets.

Be sure to connect with @CSIdentity, @MedIDFraudAssoc and @UTCenterForID on Twitter, and let us know if you plan on participating. See you there!

News Recap: FDA Establishes Cyber Security Guidelines for Medical Devices

By | October 2nd, 2014|Uncategorized|

Back to SchoolThe U.S. Food and Drug Administration (FDA) released cyber security guidelines for medical devices this week, recommending that manufacturers consider and submit cybersecurity risks associated with the medical device of their making and provide ways to mitigate risk via operating system and software updates.

USA Today’s Elizabeth Weise reported that the Director of Emergency Preparedness at the FDA’s Center for Devices and Radiological Health, Suzanne Schwartz, advocates for manufactures to stay diligent about protecting patients from cyber security risks.

“There’s no such thing as a threat-proof medical device,” said Schwartz in USA Today.

The FDA will host a two-day cyber security workshop for manufacturers, healthcare providers, engineers, IT professionals and others in Arlington, Virginia during October, reported InformationWeek’s Jai Vijayan. The purpose of this event is “to spur a discussion on the best ways to identify and mitigate cybersecurity vulnerabilities in commonly used medical devices.”

How will these guidelines shape the way medical devices are made in the future? What improvements – or problems – will arise from these guidelines? Let us know your thoughts on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories. You may also join us for our upcoming webinar on the topic of medical identity theft, where we will discuss a similar topic. Hope to see you there!

News Recap: Two Healthcare Cybersecurity Systems Breached

By | September 19th, 2014|Uncategorized|

Small Biz WebinarAccording to USA Today contributor Steve Weisman, and Community Health Systems have experienced recent data breaches.

Last week, officials said they learned that, the site that “hosts the federal insurance exchange on which millions of American have purchased health insurance,” was breached earlier in July, reported TIME’s Denver Nicks. During further investigation, it was found that “hackers had not coordinated an assault to get valuable personal information, but had intended to install malware to allow other computers to control the system for later mass attacks, like a DDOS attack, designed to send so many visitors to a website it overwhelms the site’s ability to function. Investigators said they believe the hack is not the work of another government or government sponsored group.”

In an unrelated attack, Community Health Systems, “a hospital chain with medical facilities in 29 states in which the records of 4.5 million patients of Community Health Systems’ hospitals including names, addresses, birth dates and Social Security numbers were stolen” by Chinese identity thieves using Heartbleed, Weisman reported.

The FBI recently warned that cyber criminals are specifically targeting the healthcare industry. Reuters reporter Jim Finkle mentioned that the FBI sent a warning in April to the healthcare industry, stating that “its systems were lax compared with other sectors, making it vulnerable to hackers looking to access bank accounts or obtain prescriptions.”

Why is the healthcare industry behind in its cyber security measures? How can the industry as a whole become more secure? We’re hosting a webinar on this topic October 21st at 12 PM CT, and would love for you to join. As always, please join the conversation on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.

cyberSAFE Webinar Series: Looking for a Cure for Medical Identity Theft

By | September 17th, 2014|Uncategorized|

Small Biz WebinarOur cyberSAFE series is back with another free webinar: join us October 21, 2014 at 12 PM CT to discuss medical identity theft and the rapidly approaching Electronic Medical Records Mandate.

Register Now

Many consumers are unaware of medical identity theft and the harm it can cause – both to their wallet and their health – yet this is the fastest growing segment of identity theft in the United States. The Identity Theft Resource Center found that breaches of medical records with PII accounted for 43 percent of all PII breaches in 2013. In addition, Ponemon Research reported that 90 percent of healthcare organizations have exposed their patients’ data or had it stolen in 2012 and 2013, and the industry has seen more than 200 breach incidents in 2014 alone.

In our upcoming cyberSAFE webinar, medical fraud experts will address the growing problem of medical identity theft and related topics, including: Electronic Medical Records and the threats consumers and businesses face; how medical identity theft happens and what happens to an identity once it is stolen; the impact of medical identity theft on businesses and consumers; and what solutions businesses and consumers can implement to prevent and mitigate the impact of medical identity theft.

We have pulled together an excellent group of experts for the discussion, including Ann Patterson, SVP and Program Director of the Medical Identity Fraud Alliance, and Dr. Marie-Helen Maras, Associate Professor at John Jay College of Criminal Justice. Additional panelists will be announced soon.

Join us for this free one-hour webinar on October 21 at 12 pm CT. If you are a business owner, healthcare professional, IT professional, or even someone who has ever been to the doctor – we encourage you to sign up, listen in and ask questions.

Register now – it is a great way to get involved with National Cyber Security Awareness Month (NCSAM) this October! And as always, join conversations about the webinar on social media using the hashtag #cyberSAFE.

Plus, join us Monday, October 20 at 1 PM CT for a Twitter chat on the same topic – just use the hashtag #cyberSAFEchat.

Load More Posts