Here’s one of the nightmares I’ve occasionally had over the past two years: a healthcare entity gets hacked, but instead of patient data being stolen, it’s corrupted, leading to inaccurate patient medical records that result in wrong treatment or even fatal mistakes.
Has it already happened? Data corruption is a risk that has always been mentioned in the context of medical identity theft if someone else uses your identity information to obtain medical care, but I’ve never seen any public reports of patient records being maliciously corrupted by hackers. But the risk of data corruption has always been recognized, as Jason Hart writes this week on SC Magazine:
When we think of data breaches, we picture instances where a large amount of customer data has been stolen from a business or organisation, such as the recently disclosed Yahoo hack.
Whilst much of the IT security industry is focussed on preventing data theft, there’s another element that needs to be considered: data manipulation. The risks data theft poses to businesses are well understood. However, the dangers of data manipulation, where hackers damage the integrity of the data, are only just beginning to become clear, as it is harder to detect and prevent, because nothing is stolen.
So assume an entity does not know its patient records have been maliciously and intentionally corrupted. What “best practices” should entities routinely follow to determine if that’s happened? What “best practices” should entities follow to ensure that in the event that they do detect a problem, they have a clean and accurate backup? Because if you don’t know it’s happened or when it’s happened, can you even rely on your backups?
Will the next generation of ransomware be of the form, “Pay us and we’ll tell you what records we corrupted or restore your clean files, and if you don’t pay us, you may not know what patients have had their records altered.” ?
Like I said, it’s one of my nightmares – not as a healthcare professional, because I don’t prescribe or have responsibility for life or death medical decisions – but as a member of the public who relies on doctors having her and her family’s accurate medical records.
How does an entity know their data hasn’t been tampered with? I’ve been arguing this a long time. It’s an ideal attack. Even if an organization is told “here’s your original data” how would the organization know? That is essential.
Backups are only retained for a certain period. We keep backups around monthly for a year, but it’s not at all reasonable to restore a month-old backup and resume service based on that. The point of the months old backup is simply financial. Restoring that backup for healthcare is not at all reasonable. At some point, we may have to take the loss of healthcare data if the data is compromised. That scares the hell out of me.
I do my best to secure our data, but I know how easy it is to be lazy. I think my clients are in relatively good shape. However I know what’s at stake and have a lot of doubts about our counterparts. It’s very scary.