Protecting Medical Data: Database Security Research Paper

Abstract

 This paper explores articles that delves into the difficulties of protecting medical data in an electronic based environment, what can be done to protect medical data, and what to do in the event of medical data theft. Research was done using online research of journals and articles through the American Public University Library and from reputable website and agencies. The articles establish that medical data theft is currently a growing problem and establishes a relationship between the growth of the internet and cybercrimes, which also includes medical identity theft. A couple of the articles give in depth information on medical identity theft is in order to get a better understanding of the circumstances surrounding the criminal act and who the victims are.  Al Hamid, H. A., Rahman, S. M. M., Hossain, M. S., Almogren, A., & Alamri, A. (2017) suggest a fog computing facility with pairing-based cryptography for cloud storage of medical data as a security precaution. The articles delve into the intricate world of medical data and the current policies for protecting data, what further needs to be done, and what can be done in the event of a breach of security.

Keywords: medical identity theft, medical data, protecting data, breach of security

Protecting Medical Data

There is a healthcare crisis going on in the world beyond lack of medical care and malpractice, which involves the theft of medical data. Medical information is ideally something that most people want kept private between them, their medical providers, and insurance providers; unfortunately, with the use of electronic record keeping there is a concern that others may be able to access medical data for fraudulent purposes. There is different method used in order to obtain a person’s medical data; however, the rise in electronic theft has become a concern for the health care and insurance industries due to the millions lost each year from false claims. Consequently, there are currently healthcare data policies that are in place in an effort to prevent medical data theft, but it continues to be a growing problem.

According to the Federal Trade Commission Consumer Information, theft of medical information can lead to identity theft of a person’s name or health insurance numbers that can utilized to see doctors, get prescription, and file fraudulent insurance claims. Steps can be taken to protect personal medical data; however, it is necessary to understand that it needs to be a concerted effort between individuals, medical offices, and insurance companies. In the event that medical data theft occurs vigilance is key to protecting the individual’s identity, credit standing, and to prevent further fraudulent actions. Understanding the implications of the impact that medical identity theft and all that is involved in the process of ways in which identity is obtained, to the act of victimization, to the outcome is the only way to have a firm grasp on the magnitude of the growing problem. Cybercrimes involving medical data is on the rise; therefore, it is important to understand how medical data theft occurs, what can possibly be done to prevent it from occurring, and what steps to take in the event that it occurs.

Current Healthcare Data Policies

There are policies that have been established to protect healthcare data; however, with the emergence of electronic data storage there is a concern that current polices are not enough protection. In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was created that was intended to address both patient privacy and insurance cancellation issues (Robichau, 2014). The problem is ongoing on both accounts and increasingly worse for patient privacy since the introduction of electronic data for patient files and information which enables cybercriminals easier access to patient information. HIPAA’s current policy regarding data breach requires those who are affiliated with personal health records to notify individuals that are affected from an unsecured PHI breach or personal health record information (Perkins, 2009). That puts the responsibility onto the providers who are in control of the heath records data to be required to notify individuals if they are aware of a breach, however, most times the breach is done at the personal level and goes unrecognized for a period of time before it raises red flags.

Currently steps are being taken in order to protect healthcare data, but the threat continues as hackers are able to garner access to electronic healthcare data. IBM and Ponemon Institute conducted research in 2015 conducting interviews of 350 companies in 11 countries and discovered that “more than 18 thousand records were breached on an average in each breached incident” (Khan, & Abu Sayed Md. Latiful Hoque, 2016). Part of the problem with the current system is the approach that is taken in regard to security and privacy policies. According to Abouelmehdi, Beni-Hessane, & Khaloufi, (2018), “a reactive, bottom-up, technology-centric approach to determining security and privacy requirement is not adequate to protect the organization and its patients.” The current policies are not sufficient when it comes to the protection of medical data, especially electronically stored and transmitted data.

Methods of Stealing Medical Data

Medical data includes Protected Health Information (PHI) that are personal identifiers for individuals that cybercriminals want to obtain to use for fraudulent purposes and monetary gain. One method that attacks use for financial gain is ransomware in which they shut down an internal computer system for a medical facility by encrypting sensitive data that can only be unlocked with a decrypt code. Payoff is usually in bitcoins and amounts into millions of dollars in order to regain access to their own healthcare records. Causes of health care breach can be from a range of different methods including: intentional non-malicious employee action, malicious insider, technical systems glitch, third party leak, unintentional employee action, lost or stolen computing device, and criminal attack (Khan & Hoque, 2016). For example, In February 2016 an employee errors compromised 91,000 Medicaid patient files according to Washington State HCA, and Centene Corp health insurance company lost six hard drives that contained clients personal and health information (Khan & Hoque, 2016). These are just a couple examples of the many incidents that occur each year that cause a breach in medical data security.

On an even larger scale, a breach can take place on healthcare servers and databases to obtain a large amount of PHI’s at one time. In the month of March alone in 2015 there was six hacking/IT incidents on servers for Health insurance company’s and the numbers are continuing to rise as cybercriminals manipulate security systems flaws so that they are able to penetrate them. Medical data does not only include personal information such as name, address, phone, birthday, and health information, but also credit card information, and Social Security

and bank account numbers as payment methods for medical care. Basically, obtaining health records data can be a one-stop shop for cyber criminals to obtain all the information that they need to create a false identity. That is the reason that medical record data is becoming even more popular that credit card fraud because of the magnitude of data that can be used that is obtained from the stolen records. The victims of the information theft are not only the people’s whose information has been stolen but also the ones that end up taking the biggest loss, which is insurance companies. Unfortunately, the insurance companies don’t end up only paying the ransom to the cyber criminals, but also a penalty to the government while the criminals usually get away with it.

Problems with Protecting Medical Data

With medical data being stored electronically and data being transferred over the internet, security becomes a major issue with cybercriminals who are able to hack into insufficiently secured databases and accounts. According to the FBI Cyber Division, a Ponemon Institute report was done in March 2013 of the health care organizations that the surveyed 63% reported a data breach in the past 2 years which resulted in a monetary loss of about $2.4 million per breach with a major being information assets (2014). Unfortunately, 45% also indicated that they so not have security measures in place to protect patient information, which could explain the alarming results from an EMC²/RSA White Paper from 2013 that said that over 2 million health care records were compromised in the first half of the year alone. (FBI Cyber Division, 2014). A multitude of medical devices were compromised from imaging software to printers to security application systems due to lack of sufficient security measures being established.

Another issue with protecting medical data is that there is a market for medical data for both financial gain and to receive medical benefits.  Most people would not think that there is a black market for health records; however, it is reported that medical information is actually worth ten times what credit cards are worth on the black market and if personal financial data is also included with the health records it can go for two to three times more because of the value. Medical data theft often goes unnoticed for a period of time before it is caught onto usually not until millions worth of insurance has been paid or medical services or drugs have been received from the victims. A stolen medical record can go for as much as $10 to $1,000, health credentials about $10 each, whereas a stolen social security only goes for about $1 on the black market (Maruca, 2015). The black market monetary value is insignificant compared to the amount of damage and monetary gain that can be achieved from the stolen medical data through medical services or insurance fraud.

Attempting to clean up after a medical data breach has been discovered can be difficult and may still have an impact for years to come due to not all information being rectified. Because of the anonymity of cyber criminals, they will often go uncaught and the victim of the crimes has to work with the agencies in order to clear up their medical data records and regain their identity. The problem with that is medical data theft is that there is more than one victim, the beyond the victim’s records being stolen is the insurance companies and medical service providers that often end up with the biggest monetary loss; therefore, causing a rise in insurance cost which affects everyone else. Theft of medical data is not a victimless crime it is a crime that affects millions of people and the medical industry resulting in the loss of billions with no consequences to the perpetrators, so it needs to be stopped before it continues to occur.

Where the Blame Lies

Although ideally the blame would lie with the cyber criminals who illegally obtain and steal the medical data, but since they are often not caught the blame lies with the organizations that are storing the medical data records. Whether it is insurance companies, prescription providers, doctors’ offices, or storage databases, it all depends on where the breach happened because of insufficient security and/or privacy policies. There is also the chance that the victim could supply their medical data information unknowingly to a criminal, either over the phone or through a phishing scam that they respond to and give data to, but that is an insignificant number compared to what can be garnered from a data breach. Cyber criminals tend to target databases that have mass storage of medical data in order to gain as much information at once for the largest financial gain. Insurance providers are often targeted along with major medical facilities that retain a large number of medical data files in one location. This is the reason why the government penalizes the companies for when a breach takes place due to not protecting the PHI as they are required to under law.  The amount of times cyber criminals has been able to access medical data files proves that the current privacy policies and security is not secure enough to avoid attacks and needs to be improved upon.

Possible Solutions for Medical Data Security

Changes need to be implemented in healthcare management of privacy data and security in order to make electronic and cloud storage safer. Healthcare providers, insurers, and basically anyone who has access to medical data needs to take the responsibility to ensure that they are doing everything in their power to protect the client’s medical data from being obtained by unauthorized access. “To this end, a tri-party one-round authenticated key agreement protocol has been proposed based on the bilinear pairing cryptography that can generate a session key among the participants and communicate among them securely” (Al Hamid, Rahman, Hossain, Almogren, & Alamri, 2017). Requiring additional privacy and security measures that pairs bilinear with cryptology can help to prevent unauthorized access into the medical data systems.

Utilizing blockchain is for securing healthcare data management has also been taken into consideration recently as a solution to preventing unauthorized access. Blockchain is capable of building an open and distributed online database using a list of data structures (blocks) that are linked and distributed throughout multiple nodes of an infrastructure instead of being centrally stored (Esposito, De Santis, Tortora, Chang, & Choo, 2018). The blocks are then timestamped according to production, hash of previous block, and transaction data so that the new block can be instantiated and distributed to everyone in the patient’s network, encrypted, and then inserted into the chain upon approval. Blockchain would allow for a global view of the patience medical records in which the black cannot be modified without all subsequent blocks also being modified which would be easier to detect in the event of unauthorized access. Blockchain is intended to not have a single point of failure, give patients access to their own data, enables easy access to complete medical history, any changes are visible to all members for easier detection of unauthorized modifications. However, the cost of overhauling the medical system to a blockchain method could be costly and privacy and data protections needs to be taken into consideration as well if being used globally.

Another concern for privacy is because of the increased use of Cloud storage and computing for medical data, so security measures also need to be established to protect data that is being transmitted via cloud services. Cloud computing supports real-time data sharing providing resource elasticity to be able to handle big healthcare data for research and policy decision making (Esposito, De Santis, Tortora, Chang, & Choo, 2018). Most cloud service providers have special encryptions and additional security measures established because of privacy concerns for all users, especially businesses. By storing the information off site, it makes it more difficult for cybercriminals to access all the data files through the medical facilities systems without proper authorizations into the databases.

Conclusion

The medical field is an industry where fraud can be committed in which the victims have no idea until they are denied service due to the fraudulent activity and limitation being reached for their healthcare service. There is a growing concern for the breach of medical data because it can be used for fraudulent purposes and cause difficulties for the victims in receiving proper medical care due to insurance limitations. There are policies in place that are meant to protect medical data from breaches of privacy and security of healthcare data storage, but the current policies have not helped to eliminate the problems of healthcare fraud that is being committed through electronic means. The methods of breach vary and may also be the cause of concern when it comes to establishing an effective system. Due to the rising cybercrimes involving medical data, there are problems that occur and are difficult to rectify once the offense has been committed.

The government holds the point of breach as responsible for the theft of the medical data and penalizes them based on the type of breach and the extent of damage that was done.  Therefore, there are other options that should be considered and implemented as a means to make healthcare data storage more secure and to prevent hackers from being able to access pertinent medical data. To avoid being victims of ransomware from cyber criminals and penalties from the government due to breaches, possible solutions need to be further researched that will not only prevent unauthorized access from occurring but make it possible to catch it sooner if a breach does occur. Further research and security measures need to be put into place so that hackers are not able to gain access to medical records and personal information. The loss of access to medical data may cause victims to lose medical coverage, negatively affect their credit and cause financial loss to the victims, as well as monumental financial loss and loss of trust to the organization that was hacked.

References

• Abouelmehdi, K., Beni-Hessane, A., & Khaloufi, H. (2018). Big healthcare data: Preserving security and privacy. Journal of Big Data, 5(1), 1-18. doi:http://dx.doi.org.ezproxy1.apus.edu/10.1186/s40537-017-0110-7
• Al Hamid, H. A., Rahman, S. M. M., Hossain, M. S., Almogren, A., & Alamri, A. (2017). A security model for preserving the privacy of medical big data in a healthcare cloud using a fog computing facility with pairing-based cryptography. IEEE Access, 5, 22313-22328. doi:10.1109/ACCESS.2017.2757844
• Asija, R. (2015). Enhancing security and privacy of healthcare data using XML schema. International Journal of Computer Applications, 116(12), 1-6. doi:10.5120/20385-2684
• Esposito, C., De Santis, A., Tortora, G., Chang, H., & Choo, K. R. (2018). Blockchain: A panacea for healthcare cloud-based data security and privacy? IEEE Cloud Computing, 5(1), 31-37. doi:10.1109/MCC.2018.011791712
• FBI Cyber Division. (2014, April 08). Health care systems and medical devices at risk for increased cyber intrusions for financial gain. Retrieved from http://www.illuminweb.com/wp-content/uploads/ill-mo-uploads/103/2418/health-systems-cyber-intrusions.pdf
• Khan, S. I., & Abu Sayed Md. Latiful Hoque. (2016). Digital health data: A comprehensive review of privacy and security risks and some recommendations. Computer Science Journal of Moldova, 24(2), 273-292.
• Medical identity theft. (2018, September 25). Retrieved from https://www.consumer.ftc.gov/articles/0171-medical-identity-theft
• Maruca, W. (2015, March 16). Hacked health records prized for their black market value. Retrieved from https://hipaahealthlaw.foxrothschild.com/articles/medical-identity-theft/
• Perkins, N. L. (2009). Health data privacy and security: How the stimulus bill will alter the legal landscape. Orthopedics Today, 29(4), 30.
• Robichau, B. P., (2014). Healthcare information privacy and security: Regulatory compliance and data security in the age of electronic health records (1st ed.). Berkeley, CA: Apress. doi:10.1007/978-1-4302-6677-8