Healthcare Data Breaches: Implications for Digital Forensic Readiness
- 407 Downloads
While the healthcare industry is undergoing disruptive digital transformation, data breaches involving health information are not usually the result of integration of new technologies. Based on published industry reports, fundamental security safeguards are still considered to be lacking with many documented data breaches occurring as the result of device and equipment theft, human error, hacking, ransomware attacks and misuse. Health information is considered to be one of the most attractive targets for cybercriminals due to its inherent sensitivity, but digital investigations of incidents involving health information are often constrained by the lack of the necessary infrastructure forensic readiness. Following the analysis of healthcare data breach causes and threats, we describe the associated digital forensic readiness challenges in the context of the most significant incident causes. With specific focus on privilege misuse, we present a conceptual architecture for forensic audit logging to assist with capture of the relevant digital artefacts in support of possible future digital investigations.
KeywordsComputer crime Forensics Health information management Security Threat
We thank the anonymous reviewers for their valuable comments which helped us to improve the organization and content of this paper.
Compliance with Ethical Standards
Conflict of interest
The authors declare that they have no conflict of interest.
This article does not contain any studies with human participants or animals performed by any of the authors.
- 1.Cresswell, K. M., and Sheikh, A., Health information technology in hospitals: current issues and future trends. Future Hospital Journal 2(1):50–56, 2015.Google Scholar
- 2.Bhavnani, S. P., Parakh, K., Atreja, A., Druz, R., Graham, G. N., Hayek, S. S., Krumholz, H. M., Maddox, T. M., Majmudar, M. D., Rumsfeld, J. S., and Shah, B. R., 2017 Roadmap for Innovation—ACC Health Policy Statement on Healthcare Transformation in the Era of Digital Health, Big Data, and Precision Health: A Report of the American College of Cardiology Task Force on Health Policy Statements and Systems of Care. Journal of the American College of Cardiology 70(21):2696–2718, 2017. https://doi.org/10.1016/j.jacc.2017.10.018.CrossRefGoogle Scholar
- 3.Trustwave, The value of data: a cheap commodity or a priceless asset, 2017.Google Scholar
- 5.Verizon, Protected health information data breach report, 2018.Google Scholar
- 6.U.S. Department of Health & Human Services (HHS), The HIPAA privacy rule. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html. Accessed 8 April 2018.
- 7.Information Commissioner’s Office (ICO), Data Protection Bill 2017. https://ico.org.uk/for-organisations/data-protection-bill/. Accessed 8 April 2018.
- 8.European Union (EU), Home Page of EU GDPR. https://www.eugdpr.org/. Accessed 8 April 2018.
- 9.Office of the Australian Information Commissioner (OAIC), Privacy Act. https://www.oaic.gov.au/privacy-law/privacy-act/. Accessed 8 April 2018.
- 10.Office of the Australian Information Commissioner (OAIC), Notifiable data breaches scheme. https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme. Accessed 8 April 2018.
- 11.Singapore Personal Data Protection Commission, Personal data protection act overview. https://www.pdpc.gov.sg/Legislation-and-Guidelines/Personal-Data-Protection-Act-Overview. Accessed 8 April 2018.
- 12.Office of the Privacy Commissioner of Canada, The Personal information protection and electronic documents act (PIPEDA). https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/. Accessed 8 April 2018.
- 13.Japan Personal Information Protection Commission. Act on the Protection of Personal Information Act No. 57 of (2003), 2005.Google Scholar
- 14.U.S. Department of Health & Human Services (HHS). Breach Portal: notice to the secretary of HHS breach of unsecured protected health information. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed 7 April 2018.
- 15.Blum, B. I., Orthner, H. F., Implementing health care information systems. In: Implementing Health Care Information Systems. Springer, pp 3–21, 1989.Google Scholar
- 16.Medical Identity Fraud Alliance (MIFA), The growing threat of medical identity fraud: a call to action, 2013.Google Scholar
- 17.Czeschik C (2018) Black Market Value of Patient Data. In: Claudia Linnhoff-Popien RS, Michael Zaddach (ed) Digital Marketplaces Unleashed. Springer-Verlag. 10.1007/978-3-662-49275-8_78Google Scholar
- 18.Dissent, D., 655,000 patient records for sale on the dark net after hacking victims refuse extortion demands. The Daily Dot. https://www.dailydot.com/layer8/655000-patient-records-dark-net/. Accessed 21 April 2018.
- 19.Bitglass, Healthcare breach report 2018: Security Procedures Thwart Attacks, 2018.Google Scholar
- 20.Moffit, R. E., Health care data breaches: a changing landscape, 2017.Google Scholar
- 21.Office of the Australian Information Commissioner (OAIC), Notifiable Data Breaches - Quarterly Statistics Report: January 2018–March 2018., 2018.Google Scholar
- 22.VERIS Community Database (VCDB) Project. The VERIS Community Database (VCDB). http://veriscommunity.net/vcdb.html, 2018.
- 23.Verizon. Protected health information data breach report, 2015.Google Scholar
- 24.Federal Bureau of Investigation (FBI). Table 16 property stolen and recovered. https://ucr.fbi.gov/crime-in-the-u.s/2016/crime-in-the-u.s.-2016/topic-pages/tables/table-16. Accessed 22 April 2018.
- 25.Palmer, G., A road map for digital forensic research. In: First Digital Forensic Research Workshop, Utica, pp 27–30, 2001.Google Scholar
- 26.Baryamureeba, V., and Tushabe F., The enhanced digital investigation process model. In, 2004.Google Scholar
- 27.Carrier, B., Spafford EH An event-based digital forensic investigation framework. In: Digital forensic research workshop, 2004.Google Scholar
- 28.Cohen, F., Toward a Science of Digital Forensic Evidence Examination. In Advances in Digital Forensics VI. Springer Berlin Heidelberg, pp 17–35, 2010.Google Scholar
- 30.Tan, J., Forensic readiness. Cambridge: @ Stake, 2001, 1–23.Google Scholar
- 31.Sachowski, J., Implementing Digital Forensic Readiness: From Reactive to Proactive Process. 1st edn. Syngress, 2016.Google Scholar
- 34.Jiang, J., Chen, J., Choo, K.-K. R., Liu, C., Liu, K., Yu, M., A Visualization Scheme for Network Forensics Based on Attribute Oriented Induction Based Frequent Item Mining and Hyper Graph. In Digital Forensics and Cyber Crime. Cham: Springer International Publishing, pp 130–143, 2018.Google Scholar
- 35.MacRae, J., and Franqueira V. N., On Locky Ransomware, Al Capone and Brexit. In: International Conference on Digital Forensics and Cyber Crime, Springer, pp 33–45, 2017.Google Scholar
- 36.BitCluster, BitCluster. https://www.bit-cluster.com. Accessed 28 April 2018.
- 37.Elliptic, Elliptic. https://www.elliptic.co/what-we-do/bitcoin-forensics. Accessed 28 April 2018.
- 38.Vargas, J., Bahnsen, A. C., and Villegas, S., Ingevaldson D Knowing your enemies: Leveraging data analysis to expose phishing patterns against a major US financial institution. In: Electronic Crime Research (eCrime), 2016 APWG Symposium on. IEEE, pp 1–10, 2016.Google Scholar
- 39.Hamid, I. R. A., Samsudin, N. A., Mustapha, A., and Arbaiy, N., Dynamic Trackback Strategy for Email-Born Phishing Using Maximum Dependency Algorithm (MDA). In Recent Advances on Soft Computing and Data Mining. Cham: Springer International Publishing, pp 263–273, 2017.Google Scholar
- 41.Jayabalan, M., and Daniel T., Continuous and Transparent Access Control Framework for Electronic Health Records: A Preliminary Study. In: International Conference on Information Technology on Information Technology, Information Systems, and Electrical Engineering (ICITISEE 2017), 2017.Google Scholar
- 44.Protenus, Getting Schooled on Patient Privacy Analytics. https://blog.protenus.com/getting-schooled-on-patient-privacy-analytics. Accessed 3 May 2018.
- 45.Cognetyx, The inconvenient truth about patient data security and privacy in healthcare. https://www.cognetyx.com/the-inconvenient-truth-about-patient-data-security-and-privacy-in-healthcare-cognetyxs-new-ambient-cognitive-cyber-surveillance-solution-is-addressing-this-proble/. Accessed 3 May 2018.
- 46.Zawoad, S., Dutta, A. K., and Hasan R., SecLaaS: secure logging-as-a-service for cloud forensics. In: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security. ACM, pp 219–230, 2013.Google Scholar
- 47.Nanda, S., Hansen, R. A., Forensics as a Service: Three-tier Architecture for Cloud based Forensic Analysis. In: Parallel and Distributed Computing (ISPDC), 2016 15th International Symposium on, 2016. IEEE, pp 178–183Google Scholar
- 48.Zawoad, S., and Hasan, R., Faiot: Towards building a forensics aware eco system for the internet of things. In: Services Computing (SCC), 2015 IEEE International Conference on. IEEE, pp 279–284, 2015.Google Scholar
- 49.Raju, B. K., Moharil, B., Geethakumari G FaaSeC: Enabling Forensics-as-a-Service for Cloud Computing Systems. In: 2016 IEEE/ACM 9th International Conference on Utility and Cloud Computing (UCC). pp 220–227, 2016.Google Scholar