In 2020, large healthcare data breaches in the U.S. occurred almost twice daily, 25 percent more than 2019, which was also a record-breaking year. What’s going on?
What is healthcare cybercrime?
Cybersecurity is a growing area of risk in healthcare, and organizations are grappling with the vulnerabilities and the ways patient data can be used against patients and organizations. From identity theft to healthcare fraud, waste and abuse, cybercriminals breached 642 accounts of 500 or more patient profiles in 2020. That’s a rate of more than 1.76 per day, reports HIPAA Journal, adding up to 29 million healthcare records breached last year. Security breaches cost healthcare companies $6 trillion dollars by the end of 2020.
According to Health IT Security, three security data breaches in 2020 alone affected almost 2,000,000 records, opening opportunities for identity theft and online fraud.
- Health Share, Oregon’s largest Medicaid coordinated care organization, notified 654,000 patients that a laptop was stolen from its transportation vendor. The stolen device contained patient names, contact details, dates of birth, and Medicaid ID numbers.
- A ransomware attack on the Florida Orthopedic Institute breached the records of about 640,000 patients with the malware encrypting data stored on FOI servers. The data varied by patient, but potentially included Social Security numbers, dates of birth, claims addresses, insurance plan identification numbers, FOI claims histories, diagnosis codes, payer identification numbers, payment amounts, contact details and physician locations.
- Magellan Health affiliates and some of its clients were subjected to a sophisticated ransomware attack In April 2020. Close to 365,000 patients and employees were affected. Hackers “gained access by leveraging a social engineering phishing scheme that impersonated a Magellan Health client, five days before the ransomware was deployed.” During that time, hackers first extracted sensitive data from the impacted server that included employee credentials, passwords, and W-2 forms, as well as patient data.
Leaving the door open for cyber-attacks and identity theft in healthcare
As with any data breaches, cybercriminals find their way into healthcare records in devious ways. With many administrative staff working from home during the pandemic, employees may be unwittingly creating opportunities for hackers. According to Healthcare Information and Management Systems Society, Inc. (HIMSS), some of the more common breaches were via:
- Email, especially phishing scams
- Physical security, such as leaving a laptop unattended
- Legacy systems, which may include outdated applications, security software and operating systems
- Passwords that are too easy to decipher or outdated
- Vendor breaches, such as the file disposal example above, or a supply chain attack wherein the criminal hacks into a supplier’s system and gains access through the supplier’s permissions
- Ransomware, which is particularly successful as medical organizations need access to medical records 24/7
- Hacking/IT incidents accounted for 67% of data breaches and 92% of breached records
The value of stolen healthcare records
The value of healthcare credentials varies on the web, depending on which source you ask. According to the Dark Web Price Index 2020, credit card details generally sell for US$12-20, whereas a Gmail account can fetch US$156. One reason may be that many users sign into other accounts using their Google login, so that opens the door to many profitable opportunities.
So it’s interesting that medical records can be 50 times more valuable than payment card information. This comes down to data completeness and data quality. Medical records can help to complete a full personal profile with medical history, prescription records, payment cards, date of birth, social security number and more. Additionally, if the data has been validated by completing a transaction, its value increases. When sold on the dark web, these records may be used multiple times before the patient is aware their information has been illegally shared.
From cybersecurity threat to healthcare fraud
Not all stolen data is immediately sold on the dark web. In addition to other forms of fraud, such as payment fraud and falsified credit applications, healthcare data can be very valuable for committing healthcare fraud.
“With the easing of regulations during COVID, criminals are taking advantage of this to defraud medical payers of millions of dollars,” says Beth Griffin, Vice President, Healthcare, Security Innovation for Mastercard.
Stolen health insurance details are also used to fund expensive medical services and devices, and to help bad actors fraudulently obtain government benefits, including Medicare, Medicaid and COVID relief funding.
Perhaps even more profitable is phantom fraud. A phantom biller will set up a provider profile with a payer(s) and bill a very high volume of services or goods to stolen credentials. Billings are processed over a very short time period, then the fraudster disappears before anyone realizes there is a problem.
Impacts from healthcare cyber breaches
“While attackers may compromise an organization within a matter of seconds or minutes, it often takes many more weeks – if not months – before the breach is detected, damage is contained and defensive resources are deployed to prevent the same attack from happening again,” reports The Rampant Growth of Cybercrime in Healthcare, published by health IT advisor organization Workgroup for Electronic Data Interchange (WEDI).
Healthcare cyber breaches cost US health payers $6.45 billion annually. The average breach costs $3.92 million per event and $429 per record.
Remember too, stolen identities sold on the dark web may be used to commit all manner of crimes, from fraud or money laundering to falsified passports. Victims of fraud may refuse to pay for services not received, unwittingly having a negative impact on their credit scores and affecting them for many years.
How to prevent cyber-attacks in healthcare
“Chronic underinvestment in cybersecurity has left many [healthcare organizations] so exposed that they are unable to even detect cyberattacks when they occur,” says the WEDI report.
Attempts to steal sensitive healthcare data are on the rise, yet, among all industries, healthcare ranks near the bottom in terms of cybersecurity preparedness.
Mastercard®, recognizing this challenge, uses artificial intelligence, behavioral biometrics, device intelligence and user analytics to help healthcare payers and providers secure their data comprehensively.
Mastercard’s cybersecurity tools include identity management and authentication of mobile and web-based interactions, and enterprise audits that can pinpoint a company’s vulnerability to attack. The biometric capabilities recognize patterns of unique behavior, such as timing and pressure of keystrokes, the angle the device is held and other individual behaviors. When these vary, such as dozens of keystrokes entered identically and simultaneously, they can identify a mass takeover attempt.
Dedicating budget to training is also important. Prevent breaches through security awareness training and refresh it every six months. Staff can get busy (or complacent) and forget to log out when they leave their desks, may neglect to change passwords frequently, or open phishing emails they don’t recognize, potentially enabling criminal access to your system’s data. Make cybersecurity top of mind.
How to use AI to prevent healthcare fraud
The fact is that some cybercriminals will be successful and healthcare organizations must be prepared to detect fraudulent claims.
“The COVID-19 pandemic and the ensuing pressures it has brought to healthcare providers and payers alike is exacerbating the need to verify the validity of claims coming in and payments going out,” according to analysts at Aite Group.
Identifying healthcare fraud, waste and abuse (FWA) is critical to stemming escalating losses. Fraud schemes change rapidly, as we’ve seen with the pandemic. Forty-nine percent of healthcare organizations rely on rules-based detection systems, which are hard-coded with hundreds of algorithms and rules. They are self-limiting and lose value over time as fraudulent behaviors change, resulting in false positives for 40 percent of investigated claims on average.
A single advanced-AI model provides its own updates through real-time, continuous self-learning and adapts to changing behavior it learns from new data. Advanced AI learns through the final disposition of cases and claims, identifying valid claims and flagging new fraudulent patterns. The result is an average 20x fewer false positives and only files that are highly likely fraud are flagged.
AI models can be tailored to identify healthcare claims fraud, prescription abuse, upcharges, phantom billings, and many other FWA challenges. Mastercard helps payers detect erroneous or fraudulent claims, either before payment or upon investigation.
Mastercard’s FWA solution
Mastercard’s Smart Agent technology creates an end-to-end suite of profiling and modeling capabilities that continuously adapt and improve results. This seamless combination of advanced AI tools delivers personalized decisions in milliseconds to payers, insurance companies, federal or state governments, payment processors and other payment integrity vendors. Evolving models scale with the data, increase detection rates and decrease operational costs and false positives.
“The key thing is we have a platform that operates at scale and with the necessary redundancy to operate at scale,” says Griffin. “There’s a backup if something goes wrong whether it’s a power failure or data problem, and we can continue to operate at scale and detect fraud throughout.”
Mastercard’s AI analyzes and processes 100K decisions per second with 99.9999% uptime as it is built on a distributed file architecture. As a result, the analysts at Aite Group reported the “scalability is over twice that of its closest competitor. Its streaming infrastructure with no underlying databases is a key driver of this impressive performance.”
Mastercard’s strength in cybersecurity in healthcare comes from decades of experience as a prime target, and they bring that same level of security protection to the healthcare organizations they partner with.