COVID 19 devastation effects have not been limited to the loss of life. In fact, during the last couple of years, the FBI has been warning healthcare professionals of cybercrime and the increased focus on healthcare organizations and individuals.
Ms. Alissa Knight, a “recovering hacker” and a Knight Ink cybersecurity researcher, commented that personal health information (PHI) is the most valuable data on the dark web. Her actual words referred to PHI as: “It’s 10 times more the price of a credit card for a single PHI record.”
Add to that the initiatives and growth in fields like telemedicine, the requirement to develop application program interfaces (API) to ensure connectivity and sharing of data, the growth in the remote monitoring field, and the efforts to expedite the COVID 19 rollout and you have the elements for a perfect storm. For example, some of the findings identified in a recent research conducted by Ms. Knight and Approov, a mobile security company, included:
- According to Experian, a social security number will cost $1, a credit card up to $110, but full medical records can cost up to $1,000 per record. (Experian, 2017)
- Out of the API endpoints tested, 100% of them were vulnerable to Broken Object Level Authorization (BOLA) attacks leading to unauthorized access to full patient records, downloadable lab results and x-ray images, blood work, allergies, and personally identifiable information (PII) including home addresses, family member data, birthdates, and social security numbers.
- The findings demonstrate that the security standards required for compliance with US government FHIR/SMART standards merely represent a subset of the steps needed to secure mobile apps and the APIs which enable apps to retrieve data and interoperate with data resources and other applications.
- 27% of the mobile apps tested were not secured against reverse engineering through code obfuscation.
- 77% of the mobile apps tested contained hard-coded API keys, tokens, private keys, and hard-coded usernames and passwords.
- If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question.
- 50% of the APIs tested allowed Ms. Knight access admissions records for patients being admitted into the hospital as inpatients that she should not have been able to access with her level of authorization.
- 100% of the APIs tested were vulnerable to Broken Object Level Authorization (BOLA) vulnerabilities.
- BOLA vulnerabilities in 100% of the APIs tested allowed Ms. Knight to view the personally identifiable information (PII) and protected healthcare information (PHI) for patients that were not assigned to her clinician account.
The information and vulnerabilities exposed are overwhelming, yet the answer is simple: “A journey of a thousand miles begins with a single step”. I believe that the first step should be based on the Standards established by HIPAA Security. Yet, remember not to be complacent as this is only the first step and a lot more will need to happen to protect our infrastructure and data.
CMS is moving forward with their attempts to move into a risk payment system. The problem is that some of the players may not have their logistics process in place which could result in those participating losing monies. CMS explains Direct Contracting as follows:
“ Direct Contracting is a set of three voluntary payment model options aimed at reducing expenditures and preserving or enhancing quality of care for beneficiaries in Medicare fee-for-service (FFS). The payment model options available under Direct Contracting create opportunities for a broad range of organizations to participate with the Centers for Medicare & Medicaid Services (CMS) in testing the next evolution of risk-sharing arrangements to produce value and high quality health care. Building on lessons learned from initiatives involving Medicare Accountable Care Organizations (ACOs), such as the Medicare Shared Savings Program (MSSP) and the Next Generation ACO (NGACO) Model, the payment model options available under Direct Contracting also leverage innovative approaches from Medicare Advantage (MA) and private sector risk-sharing arrangements.
Stay Tuned for the Release of EPITalks – EPISODE 16
Stay Tuned for the Release of EPITalks – EPISODE 15