ICIT report outlines ways breaches can ruin patients' lives

Healthcare executives’ “lackadaisical approach” to cybersecurity endangers the lives and futures of breach victims, who have little help or recourse for dealing with identity theft, according to a new report from the Institute for Critical Infrastructure Technology.

It looks at how healthcare information is exploited on the Dark Web, with the data often being sold multiple times. Such information also can continue to be sold for the rest of the victim’s life, the authors say in their tersely worded report, adding that "for some, such as children, this can drastically hinder their future financial stability and limit the potential lives that they could lead.”

The report lays out testimony the organization will present at a Senate hearing on Sept. 22.

The authors also in the report write about cases where health security breaches negatively impacted individuals.

One example is a woman had a baby in Utah using the stolen medical identity of Anndorie Cromar to pay for the services. When the child was born with drugs in its system, Child Protective Services took custody of it and, assuming Cromar was a drug addict and negligent parent, went after custody of the real Anndorie Cromar’s other children. Cromar had to undergo a DNA test to remove her name from the infant’s birth certificate, and she spent years correcting her medical records.

“Once a hacker owns an EHR, they effectively own the victim,” the authors say. “Every patient record compromised from every healthcare organization has the potential to devastate and financially ruin a United States citizen.”

They say consumer protections have not kept up with the proliferation of data breaches. Meanwhile whole databases are sold through the Dark Web, usually in private, offline transactions, a practice that law enforcement struggles to stop.

The flow of data around a fragmented healthcare ecosystem also makes it vulnerable, with an HIMSS survey showing a lack of encryption of data in transit and at rest at many organizations.

It can be life-threatening if a person’s medical record is altered as criminals engage in medical identity theft--and the danger increases exponentially as the data is sold multiple times, the authors write.

Meanwhile, a new HITRUST paper urges organizations to move beyond prevention to cyber-resilience, accepting that breaches will occur and focusing on detection and response.