Still, John Hawes, writing in the Sophos blog Naked Security, noted that while a single cyber attack can lead to the exposure of millions of records, smaller breaches due to human carelessness can add up as well.
He cited unencrypted CDs lost in the mail, a number of stolen laptops and even paper records stolen from a storage shed or falling off the back of a truck — incidents that left thousands of records exposed.
There are several reasons for PHI becoming an increasingly attractive target for cyber criminals. First, the number of them is growing by the millions. One of the requirements of the Affordable Care Act is the generation of Electronic Health Records (EHR), to allow medical professionals to share information about patients more easily.
They also contain very valuable data. "Personal health records are high-value targets to cybercriminals," said Dan Berger, president and CEO of Redspin. "They can be exploited for identity theft, insurance fraud, stolen prescriptions, ransom, and dangerous hoaxes."
Indeed, Dark Reading reported in October that, "credit cards can now go for a dollar or less on the black market, but stolen health credentials may sell for as high as $10 per patient."
Danny Lieberman, CTO at Software Associates, said PHI can be valuable, "in personal disputes — imagine lawyers attempting to obtain the dirt on a spouse in a divorce case — and to an insurance investigator trying to disprove a claim of injury. And some data is intrinsically sensitive, like AIDS and cystic fibrosis, where it will influence an employer not to hire someone," he said.
Delmar said the use of PHI for blackmail does happen but is relatively rare. The main motivation, she said, is profit — gathering information, "that can be used to build a folio to support some manner of fraud."
Ulf Mattsson, CTO at Protegrity, added that another attraction of PHI is that its value does not degrade as rapidly as credit card data, which can be changed or updated quickly. "PHI is long-lived and will always be valuable to those wishing to exploit it," he said.
And, as the statistics show, one of the most successful paths to stealing that data is to dupe employees.
"Hackers are generally efficient — they look for the easiest path to exploit," Berger said. "Unfortunately today, the weakest link is the employee population and their lack of security awareness. Phishing attacks are disturbingly successful. And it only takes one employee to get duped for the hacker possibly to gain their credentials and pivot to exploiting a database of PHI."
Human weakness is not confined to the healthcare field, of course. But as Mattsson noted, "healthcare is unique in that there are a greater number of people who come in contact with sensitive information during the course of normal business operations than in other industries."
Sign up for Computerworld eNewsletters.