More than 1.8 million medical ID theft victims in 2013
That's a 19% increase over last year according to the 2013 Survey on Medical Identity Theft. More than 300,000 new medical identity theft cases were reported during the one-year period, the study found. The 4th annual survey, conducted by the Ponemon Institute, defined medical identity theft as a person using an individual's name or personal identity “to fraudulently receive medical service, prescription drugs and goods, including attempts to commit fraudulent billing.”
One of the biggest contributors to the increase was fake or spoofed medical websites and spam emails. Medical identity theft victims who reported that a cyber schemes caused their troubles doubled from 4% in 2012 to 8% in 2013. It is clear that the amount and frequency of spear phishing specifically targeting medical ID theft has gone up. This is not the simple 'Buy this personal enhancement drug here' emails but authentic looking emails from a provider. You click the malicious link and either malware is installed to your computer or you are directed to a website that looks exactly like your medical provider's and you enter (give away) your credentials there. You might even be able to log into something that will request you update your personal information. Perfect, I get your credentials along with some additional Rx information or mailing address or SSN or date of birth anything that I can use to impersonate you.
As far as data breaches as a cause, only 7% (up 1 tick from last year) felt a data breach by their insurer, health care provider or related was linked to the fraud.
A separate but related survey, a new Deloitte report says healthcare organizations are in various stages of mitigating the security risks of medical devices. These include patient monitors, infusion pumps, ventilators, pacemakers and imaging devices. Deloitte interviewed the medical device security leaders at nine large hospital systems and they indicated that their organizations have a long way to go and that they need more cooperation from device manufacturers.
The Food and Drug Administration (FDA) recently released a guidance on the "content of premarket submissions for management of cyber security in medical devices." The guidance suggested that device makers incorporate security features into their products to limit access to only trusted users, trusted content, and use fail-safe and recovery devices. They want manufacturers to consider threats like hacking, malware and other vulnerabilities of the device's software and to work with providers on addressable scenarios. This is certainly an area of importance for both providers and the device manufactures. Remember all the wrangling with PCI and those payment devices? Granted, the FDA guidance is a recommendation and not a regulation like PCI so there is reluctance to include security measures in purchasing contracts.
The other issue healthcare organizations face is trying to secure older proprietary devices. These closed systems make it almost impossible to scan for vulnerabilities but they are still in widespread use. For other devices that run on well know commercial operating systems, they are vulnerable to the same threats that any device with that software has.
Deloitte also asked the medical device security heads where their organizations stood in several areas of cyber security. These included: organizational leadership, risk framework, identification and evaluation, data flow, vulnerability management, vendor agreements and manufacturer engagement. Ken Terry over at Information Week goes into detail of each.
So far there have been no documented instances of "intentional threats" to medical devices, according to the report but healthcare providers are not required to report security incidents to the FDA or the device manufacturer unless a death or serious injury has occurred.