Case Study

Online Patient Data – the growing security imperative

By Jeannie Warner, WhiteHat Security. In recent years the amount of personal medical information going online has exploded, thanks to connected digital healthcare ecosystems that improve the ability of providers and patients to access information and communicate. No one doubts these solutions make more efficient and cost-effective healthcare possible, but there is a downside.

The emergence of new medical-based web applications and networks has opened up enticing new avenues for online hackers, intent on accessing patient records to get their hands on valuable personal data.

That’s not good news for health providers, who face stringent and punitive penalties should they fail to deliver against their confidentiality obligations – or for patients, who risk a permanent violation of their privacy should their data be exposed in the event of a breach.

Health records are a prime target

IDC estimates that inappropriate e-security measures and the increased volumes of online patient data will result in one-in-three consumers having their healthcare records compromised in 2016. It’s a prediction that appears to be borne out by recently published findings from the Information Commissioner’s Office (ICO); its most recent data security incident trends report confirms the healthcare sector once again accounted for the most security breaches reported in the UK in 2015/16.

It’s a vulnerability scenario that’s being fuelled by the burgeoning digital healthcare economy. Today’s doctors are now able to access patient health records across multiple sites, using a variety of devices; insurance companies and hospitals can file and submit claims online; patients are using online portals to order prescriptions, make appointments and gain access to a growing number of digital and telehealth services.

All these methods provide opportunities for information to be accidently shared or purposely stolen. Digital health records offer potentially rich pickings for cyber criminals – representing a primary source for harvesting a wealth of information like social security numbers, birth dates, address information or insurance records. And the incentives and rewards are high. A medical record typically sells on the black market for around £30.00 – that’s considerably more than a mere credit card number.

Protecting against vulnerabilities

Human error scenarios are a problem – such as the recent 56 Dean Street clinic incident, which involved a member of staff disclosing the names and email addresses of 780 patients when sending out a newsletter regarding HIV services.

But a far greater risk is the wealth of information that is stored within the large attack surface of web applications; no wonder then that 40% of all breaches occur at the application level. Indeed, when researchers at WhiteHat Security evaluated a number of healthcare sites, they found that on average each site exhibited 12 vulnerabilities and five ‘serious’ vulnerabilities which could be classified as either “critical” or “high-risk” on the OWASP risk-rating scale.

That represents a big problem for healthcare organisations, which often have limited internal resources to combat application data breaches and will frequently outsource aspects of their web infrastructure to third party developers. Added to which, it takes an average of 208 days to rectify and implement a fix for a known or identified vulnerability.

The answer, surely, is to implement a more secure software development lifecycle that detects vulnerabilities in source code, mobile and web applications early on – so these can be eradicated before deployment. But that’s just half the battle.

To keep patient data secure, healthcare organisations and their partners will also need to utilise additional lines of defence. Such as, for example, an online live application scanner that can pick up vulnerabilities as these emerge – enabling teams to automate the monitoring of web applications, no matter how frequently changes are made and instantly block attempts to exploit vulnerabilities in production environments.

The worrying rise in data breaches underlines how security practices around handling eHealth data need to be taken seriously. Deploying appropriate security technologies is becoming the key to ensuring that a healthcare organisation minimises any risk of hitting the headlines for the wrong reasons – a massive security breach that exposes the personal data of thousands of patients.