Patient Data on the Dark Web

The dark web is a part of the internet that is made up of hidden sites that you can't find through conventional web browsers. Sites on the dark web use encryption to mask both the site’s owner and its users, making it useful for criminals to network illegal activities, such as selling private banking information or trafficking illicit substances or materials.

The dark web can be a menace, and with the wave of cybercrime associated with COVID-19, and healthcare providers should be paying attention. Medical records can be sold for up to $1,000 on the dark web, depending on how complete they are. Why are Medical Records vaulable to cybercriminals? Because they're chalk full of personal information that makes it easy to steal a patient’s identity, like full names, birthdays, social security numbers, contact information, and sensitive medical history. This sort of information is not easily changed in the same way a credit card number is. Identity theft is a tremendous and expensive burden on a patient, and it’s your duty under HIPAA to keep Protected Health Information (PHI) safe and private. Luckily, proactive information security can keep your PHI off the dark web and save you and your patients the headache of a data breach.

Here are some practical ways you can take to protect your organization’s PHI from being stolen and sold on the dark web.

1. Keep good password hygiene

One employee’s compromised credentials can leave your network vulnerable to hackers. Make sure that your organization has a strong password policy in place.

2. Stay on top of your software

Install a reputable antivirus program on all devices, and frequently update all software. Systems updates often contain security patches that fix vulnerabilities in your system that could otherwise leave sensitive data vulnerable to hackers. End-of-Life software, or software that is no longer supported by the developers, is a huge security risk. Stop using it.

3. Use a dark web scanner

Consider purchasing a dark web monitoring tool that will scan for your organization’s email addresses on the dark web and show you what information has been exposed. They will continuously scan the dark web and alert you when compromised credentials show up.

4. Conduct a network vulnerability assessment

A network vulnerability assessment can evaluate your system for weaknesses. Give yourself the opportunity to harden your system and address any holes or open ports in your network before they’re exploited by hackers.  

5. Conduct a comprehensive HIPAA SRA each year

Conducting a regular Security Risk Analysis is required under the HIPAA Security Rule. The point of an SRA is to give your organization the oppritunity to holistically evaluate all of the physical, administrative, and technical safe gaurds that you have in place to protect electronic PHI. This allows you to address any risk to your information security that is uncovered over the course of the analysis. 

Keep your organization and your patients safe. Don’t let PHI get tangled in the dark web.