Protecting Valuable Personal Health Information (PHI)

There’s no way around it: medical care impacts us all. Even in good health, we cannot predict accidents and emergency situations that will require the knowledge and skills of medical professionals.

The amount of data generated and stored each time we receive care is significant: interactions with healthcare providers, from a routine physical to major surgery, generates the data that medical providers use to detect, diagnose and treat health-related issues.

Moreover, doctors and nurses are no longer tethered to desks: they can enter review lab results, observe patient drug intake and make medical recommendations from anywhere.  Case in point: concerned about a severe fever our oldest son had, my wife emailed our pediatrician asking for guidance. Despite being at a holiday party that evening, our pediatrician logged into her patient management system via her smartphone, pulled up our son’s medical history, and checked some recent test results so she could advise us—all without leaving the party.

The third in a series of three entries, this blog focuses on key scenarios that healthcare organizations with public-facing web apps should monitor to defend against account takeover (ATO). For a refresher on how utilizing a threshold-based approach enables organizations to identify irregular request patterns to spot fraudulent activity, check out the first entry in this series on ATO.

The Value of Personal Health Information (PHI)

Account takeover (ATO) continues to be a business challenge our customers repeatedly tell us they must defend against—and one that cuts across nearly every vertical as shown in our recent Identifying Indicators of Web Attacks whitepaper.  Indeed, a 30-day slice of web request telemetry from across our customer base shows that healthcare was the second most targeted vertical for credential stuffing that can lead to account takeover.

Data is the lifeblood of any organization, but even more so in healthcare:  from medical research to patient care to prediction and prevention, research firm IDC predicts the healthcare industry will generate 2,314 exabytes of data in 2020 and increase 48 percent annually. Over 300,000 mobile health apps that track personal health data enable medical staff to communicate with patients.

The ecology of applications, APIs and microservices that power the digital transformation of the healthcare and life sciences industries requires protection and compliance: HIPAA, or the Health Insurance Portability and Accountability Act, is federal legislation that sets privacy standards for safeguarding medical information. As a regulatory tool to hold organizations accountable, HIPAA lays out the responsibility healthcare providers and vendors have to safeguard electronically stored and transmitted PHI (personal healthcare information).  Should attackers penetrate a healthcare company’s defenses to gain access to sensitive patient data, HIPAA penalties that hold medical organizations accountable will impact an organization’s bottom line.

And PHI’s monetary value is significant: medical records can sell on black market for up to $1,000 per record. In comparison, credit card records sell for just a fraction of that, from as little as $1 to as much as $100¹. Organizations found in violation of HIPAA protections pay between $100 to $50,000 per incident with a maximum fine of $1.5 million per per violation annually².

To provide a real example of the scale of fines levied for HIPAA violations, consider the fallout from the 2015 Anthem Inc. data breach:  In October 2018, Anthem Inc., settled its HIPAA violation case with the Department of Health and Human Services’ Office for Civil Rights (OCR).  for $16 million. The massive fine was due to the extent of HIPAA violations discovered by OCR and the scale of its 2015 data breach, which saw the protected health information of over 78.8 million plan members stolen by hackers³.

Why PHI Security Matters: Common Fraud Scenarios

Given the value of stolen PHI, attackers attempt to gain access and leverage it for fraudulent means. Here are a few prevalent scenarios once an attacker breaches a web application that fronts valuable PHI:

• Exploit victims’ medical conditions: patients can become targets of fraud when their personal medical records are exposed.
• Attackers without valid health insurance coverage can commit fraud to gain access to expensive medical services, devices and medications.
• With victims’ PHI, attackers can gain access to government benefits.

Common web layer threat vectors to obtain PHI

• OWASP injection attacks including SQL injection and cross-site scripting (XSS)
• Account takeover via credential stuffing also opens the door to malicious actors viewing patient insurance policy data, their claims data, and viewing and exfiltrating medical records.

Signal Sciences secures the web apps that power health care

Our patented agent-module pair can deploy in any infrastructure that medical providers chose to run their applications. Once installed, Signal Sciences is a low- to no-touch and that can detect and stop account takeover attempts and thus the fraudulent activity that can result from exfiltrated PHI. With Signal Sciences inspecting the web requests, customers gain:

• Immediate protection against OWASP Injection attacks without detection rules or learning.
• Real-time visibility and protection of the key transaction flows targeted by attackers in account takeover attacks

Monitor key application transactions  such related to viewing policies, claims data and patient records.

Detect and Prevent Account Takeover with Signal Sciences

Signal Sciences provides real-time, automated visibility not only into login and account creation activity, but also the web request values and context behind those requests that can reveal fraud with easy configuration and no performance impact on the apps protected.

Legacy WAF appliances can add significant latency to web requests, adversely impacting customer experience and require significant maintenance just to keep up with the rapid pace of DevOps—and that’s time you could be using to defeat the adversary. With Signal Sciences, you get visibility when it counts, not later when it’s too late. See for yourself with a live demo or download and read more about our brute force and ATO prevention capabilities.

¹ https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-selling-for-on-the-dark-web/
² Penalties for Violating HIPAA – Indiana University, https://kb.iu.edu/d/ayzf
³ https://www.hipaajournal.com/summary-2018-hipaa-fines-and-settlements/