James Thew - Fotolia
The deep web is used for both practical and illegal uses; individuals can utilize the anonymity of the deep web to protect their personal information, communicate clandestinely with sources or whistleblowers and engage in illegal practices such as selling and purchasing the personal information of others.
In this Q&A, Robert Lord, ICIT Fellow and CEO of healthcare and cybersecurity company Protenus, discusses the deep web and its role in the exploitation of patients' protected health information.
Can you explain what exactly the deep web is and how illegal practices are able to be conducted on it? Why should people know about it, and should they be worried?
If you think about the internet in general, think about it like an iceberg. We see the tip of it known as the "clear net" or the "indexed web." That is the information that search engines index and what we can Google -- our everyday internet. Four hundred to five hundred times more data is housed underneath the iceberg. That is the deep web that's not accessible by normal means; we need to use tools like the Tor browser.
You can use a different set of protocols to gain information, such as documents, or to preserve privacy when journalists communicate confidently and privately with sources. It is also used by citizens whose countries block the use of internet, and it is used, unfortunately, for a lot of criminal activity.
Thinking of the deep web more as a tool for anonymity is instructive. The deep web can protect people who have legitimate fears about a government crackdown or individuals who have private information, such as journalists, who want to protect sources and whistleblowers.
What specific risks does the deep web pose to electronic, protected health information and how do these risks influence health providers' HIPAA compliance processes?
As a nation, we are in a serious crisis right now. What we did was spend tens of millions of dollars rolling out electronic health records. We put very little thought into how we were going to protect that data. We digitized 300 million Americans' lives, but all that information is protected in a rather weak way. Unfortunately, hackers and insiders have decided that healthcare is a very soft target, and that protected health information is extraordinarily valuable.
Business associates, contractors and employees all have the ability to access that information, and it can then be sold on markets like the deep web. On the deep web are markets that use anonymous profiles that show whether people are certified buyers or sellers, providing an easy way to sell data. The deep web facilitates this transfer of monetized data. In 2015, there were 113 million medical records that were breached -- a third of our nation's medical records.
Among companies whose patients' data was leaked, were compliance regulations being met or did the companies fall short and allow this exploit of patients' protected health information to be possible?
One of the main challenges that hospitals face is extraordinarily constraining budgets. There are all sorts of mandates from the government and industry organizations that are pushing them, and cybersecurity is not prioritized in budget allocation. There's a huge challenge with hospitals investing strategically in cybersecurity resources.
Hospitals have gotten a lot of vendor fatigue. What's happened is that oftentimes they're not looking towards the next generation technology, the technology that they need to protect electronic health records, because there's so much information being presented to them that they don't know what to look at and what not to look at.
What advice can you offer to healthcare providers and other businesses to prevent these types of exploits from happening in the future?
An extraordinarily small fraction of healthcare companies' budgets -- 5% -- is spent on cybersecurity. Other companies with less sensitive information, such as financial institutions, spend about 12-15% of their budget on cybersecurity. Healthcare is the most popular target for hackers. Companies have to educate their workforce on security and privacy and why healthcare data is so valuable.
Are there any particular cybersecurity strategies that are proving effective against deep web exploits? How can companies best protect business and customer information from them?
One of the really important things is to have a C-suite and board of director level buy-in for cybersecurity. The most successful organizations we work with have a direct line of communication that allows the security and privacy groups to communicate with the board and C-suite to set goals and communicate cybersecurity strategies.
The deep web's black market of electronic health records
Value-based care and security prove to be important topics at HIT Summit
IoT faces several barriers in healthcare
Health records often sent unencrypted by hospitals, study finds