What threats are we facing?
If criminals break into the hospitals’ network and steal data from there the hospital is responsible, even if it has outsourced its data processingStephen Cobb
“Companies and consumers need to know that there is a thriving global black market in personal information”, Cobb points out and specifies: “This includes everything from basic data like name and email address to data like the Social Security Number, date of birth, account passwords, and of course, medical records.” Criminals steal this data wherever they can. That includes trying to take these data from healthcare organizations that often have large databases of personal information. Criminals who steal personal information can sell it on the black market to other criminals who have figured out ways to monetize it. “They do this through a wide range of fraudulent schemes, many of which involve some sort of identity theft. The result can be anything from your income tax refund being delayed to someone getting medical services in your name”, Cobb states.
The risks are many and varied, but Stephen Cobb sees four main categories:
- There are the risks that have monetary impact, like losing money to fraudulent bank transfers made using stolen credentials.
- There are health risks if medical data is abused to obtain medications or procedures.
- Then there are risks to the reputation of the organization from which the data was stolen, and
- a societal risk that trust in technology will be eroded by criminal activity, undermining the great potential of digital technology to improve healthcare delivery.
How can we prevent those risks?
There are well-documented security practices that can greatly improve an organization’s resistance to attacks by cybercriminals. These start with data mapping and risk analysis in which all of the personal information handled by the organization is identified and the potential threats to that data are evaluated. “After documenting the risks an organization can plan how it will mitigate them through security measures”, the expert explains. “Low probability risks might be accepted while high impact risks might be transferred through cyber risk insurance.” A weak spot in this process is the underestimation of the level of certain risks, particularly new and emerging risks. For this reason a regular update of the risk analysis is indispensable.
Talking about all this, “it should be noted that, while there is a high level of interest in, and concern about, complex new security vulnerabilities, many security breaches come about because basic security measures were not correctly or not uniformly applied. More than one major breach has been announced as “a sophisticated nation state attack”, but later found to be much more mundane in origin and execution”, according to Stephen Cobb.
Who is responsible in a case of abused data?
There are often multiple parties and different levels of responsibility involved in the handling of data. A hospital may collect and store information about a patient, but send some of that data to a billing company which then shares it with an insurance company. “If criminals break into the hospitals’ network and steal data from there the hospital is responsible, even if it has outsourced its data processing”, states Cobb. This is important when thinking about the risks of cloud computing. "However, the data processor may also be held responsible”, adds Cobb. If personal information or a medical record is stolen from an insurance company that is processing a claim, then that insurance company is responsible. This shows that data security is an important topic that involves every organization dealing with personal data. Cobb summarizes: “In other words, you cannot outsource responsibility.”
“I worry that the level of criminal activity targeting personal data will erode trust in digital technologies, although these have great potential to improve quality of life and living standards around the world” Stephen Cobb apprehenses. Now more than ever we need to manage the risks in an appropriate way as we move forward with new technologies.
Stephen Cobb has been researching computer security and data privacy for 25 years, advising companies, consumers, and government agencies on the protection of sensitive data and systems. Cobb has been a CISSP since 1996 and currently leads a San Diego-based research team for security software maker ESET. He is also working on an MSc. in Criminology at the University of Leicester in England.