Cyber criminals have found new ground to exploit in medical records.
Just last month, global sporting icon Mo Farah had his medical files made public by hackers, which put the four-time Olympic champion under pressure to clarify his previous statements on steroid use.
A recent study by the Brookings Institute predicts one in four data breaches this year will hit the healthcare industry, a worrying trend.
The industry – arguably one of the most technologically advanced considering the gadgets and devices now used to monitor health statistics and perform medical procedures – is ironically among the most ‘unhealthy’ when it comes to network security.
At a recent African summit on healthcare innovation held in the Nigerian capital of Lagos, which Kenya participated in, attendees were told medical insurance records have become increasingly attractive to cyber criminals.
In the US alone, it was said, about nine in 10 healthcare institutions suffered a security breach, and were twice more likely than other industry institutions to be targeted by cyber criminals.
Changing passwords
Unlike banking records that can be re-secured by changing passwords, once medical information is leaked, it remains available to anybody willing to pay for it.
A recent report by global consultancy firm KPMG, Health Care and Cyber Security: Increased Threats Require Increased Capabilities, notes healthcare record theft this year increased by 1,100 per cent, with 100 million records compromised by hackers.
Cyber criminals are gaining access to medical data and ‘kidnapping’ it, only releasing it once a hospital or individual pays a ransom. The criminals tend to use software that blocks access to the data until money is paid, a system dubbed ransomware.
Because medical organisations generally deal with multiple crises, they need to secure their data and are usually willing to pay the ransom to get back their records.
“Health data includes a lot of personal and financial information, which can be used by criminals for fraud and other crimes. The data is very attractive to many criminals,” Insurance Regulatory Authority (IRA) CEO Sammy Makove said.
The IRA boss said the regulator expects insurance companies to put in place systems that guard the insured against such risks.
For now, Mr Makove added, his agency had not heard of any cases of data breaches in the local industry.
But Association of Kenya Insurers (AKI) CEO Tom Gichuhi told Business Beat that local insurance firms have no systems in place to keep cyber criminals away from people’s files.
Stay informed. Subscribe to our newsletter
“Cyber crime is an emerging risk, and while traditionally it was targeting financial institutions like banks for monetary gains, it has started to target insurance health records and also life covers,” Mr Gichuhi said.
“Sadly, we in the insurance industry are not immune to cyber crime and we currently do not know how to protect our clients.”
Still, insurers are planning to come up with a new product that will cover risks around cyber crime.
The AKI boss noted that although the country’s insurance sector is yet to see health insurance records hacked, this does not mean the industry is not exposed.
“We live in a global village where everyone is interconnected. What is happening in America now will soon happen here, and we need to get our systems right,” Mr Gichuhi said.
He added that the current plan AKI has to combat the spectre of cyber crime is sensitising insurance companies on the emerging risk.
The association aims to hold a workshop before the end of the year, where experts will be called in to show insurance companies how they can build robust systems that are immune to hackers.
Identity theft
The KPMG report found that data collected and stored by hospitals and other sector organisations is up to 10 times more valuable to cyber criminals than credit card information.
This is due to the sheer volume of information gathered about individuals – and the fact that there is an increased shift to digital medical records, which makes it easy to commit fraud and identity theft.
Given the value of this data in the black market, cyber attacks in the health sector are becoming more sophisticated.
However, Jubilee Insurance Company Group CEO Sachin Samant said there is software insurers can use to protect data.
He added that the idea of extracting ransom when crucial information is in the hands of cyber criminals has become common, especially in the West, while locally, the motivation for this would be fraud.
“Cyber criminals can seek details of customers that can be sold to local competitors or direct marketers,” he said.
For local firms, the KPMG report recommends that: “Security should not be reactive and should not be done just because organisations want to comply with legislation .... But unfortunately, this is the case in the healthcare industry and it’s the reason they are always one step behind the attackers.
“Security should be about prevention and the desire to ensure the integrity of sensitive information.”
[email protected]
The Standard Group Plc is a
multi-media organization with investments in media platforms spanning newspaper
print operations, television, radio broadcasting, digital and online services. The
Standard Group is recognized as a leading multi-media house in Kenya with a key
influence in matters of national and international interest.
join