Share this article on:
Even when appropriate controls are implemented to secure electronic protected health information (ePHI), data breaches can still occur. Mistakes are made with the configuration of firewalls, ePHI is accidentally disclosed to unauthorized individuals, and phishing attacks and malware allow criminals to gain access to ePHI. Healthcare data breaches have now become as inevitable as death and taxes despite the best efforts of healthcare organizations to keep ePHI secured.
The Department of Veteran Affairs is the largest integrated health system in the United States, with more than 1,700 locations providing healthcare services to more than 8.76 million veterans. The VA stores a considerable volume of ePHI which makes it a large target for cyberattackers.
In April alone, the VA blocked 77.69 million intrusion attempts, blocked and/or contained almost 460 million malware samples, as well as more than 105 million malicious emails. With so many attempted attacks, occasional data breaches are to be expected. When breaches occur, lessons are learned, systems are improved, and security vulnerabilities are plugged to prevent future attacks from taking place.
This month, the Department of Veteran Affairs is going a step further and is trying to discover whether any of its stolen data are being offered for sale on the Internet.
Cybercriminals looking to sell stolen data do not advertise via Google, instead data are listed for sale on underground forums and on darknet marketplaces. These sites are not indexed by the search engines, so determining whether stolen data are being offered for sale is a complex task. The VA has reached out to vendors and is seeking assistance.
The VA is looking for vendors who are able to scour the darknet to discover whether its stolen data are being traded or sold. On May 12, the VA issued a request for information to find vendors who are able to create a one-way encrypted hash of its data to enable a data search to be conducted on the darknet.
Vendors must be able to guarantee that the hash of VA data cannot be used inappropriately and that software or searches will not place VA data or personally identifiable information of veterans at risk of exposure. Software must be capable of determining the source of any stolen data that are discovered to confirm whether the source was the VA or another entity. Vendors must also be able to guarantee that their software complies with all VA IT security policies.
Vendors have been given until May 26 to contact the VA with their proposals.