As a safeguard for patients’ personal or financial data, to protect the integrity of pharmaceutical products and medical processes, and for various other reasons, organizations operating in the healthcare sector are required to comply with conditions set out by legal frameworks such as the Health Insurance Portability and Accountability Act (HIPAA).
These provide recommendations and regulatory compliance demands which are supposed to protect patient privacy and sensitive information, and other data assets that could prove to be money-spinners or tools for blackmail and extortion if used by cyber-criminals.
Legal obligations and directives like these are meant to contribute to the overall security of healthcare facilities and related institutions and prevent attacks and healthcare data breaches.
But when the Ponemon Institute conducted a survey of healthcare organizations in 2016, it discovered that 90% of them had experienced a data breach in the previous two years. 45% of those polled had experienced multiple attacks consisting of more than five data breaches, during that same time period. More than 60% of those surveyed reported experiencing at least one cyber-attack.
In 2017, 477 separate security breaches in the health industry exposed 5.6 million patient records to external hackers, internal errors, or malicious insiders. Clearly, healthcare data breaches are a persistent problem and an ongoing threat to the public at large.
But why is the sector such an easy target – and what might be done to remedy this situation?
Protectors of Health – and Secrets
Hospitals, emergency services, pharmacies, urgent care clinics, health insurance companies, and other healthcare agencies furnish the skills, materials, and resources necessary to provide individual patient care and therapy, drug treatments, and measures to ensure public health and safety.
To do this, they require in-depth knowledge of the people that they serve: Their medical histories, financial situations, personal circumstances, and any number of other relevant factors. This means gathering and holding onto (for however long is necessary) large amounts of detailed and sensitive information.
Data such as this is also of high value to those who’d wish to exploit it on the open market. Personally identifiable information (PII) such as names, addresses, Social Security numbers, bank and credit card details often reside on healthcare databases alongside health insurance information, patient medical histories, Medicaid or similar health plan ID numbers, and other data which constitute electronic protected health information or ePHI.
All of these data items could be of value to cyber-criminals, spies, and fraudsters – whether as assets in building up personality profiles for identity theft or the creation of false identities, as a foundation for scams and deception, or as tools and leverage in mounting infiltration or extortion schemes against individuals or the organizations that they work for.
Healthcare Data Breaches – A Relatively Easy Mark
While it’s necessary for healthcare agencies to collect and store information relevant to their “customers”, the sad truth of the matter is that most organizations don’t have adequate protection in place to ensure that they can do this safely. This might be due to a lack of funding (e.g., in the case of government institutions, small private companies, or start-ups), a shortage of personnel, a lack of knowledge in security and related matters, a sense of complacency (“That could never happen to us”), or any combination of these factors.
Physical security measures at offices and treatment facilities, secure password and authentication procedures for computer systems, rules governing how information is moved in or out of a facility on mobile devices, USB drives, or laptops, and measures for encrypting information held in their databases may all be lacking, in some way.
Whatever the case, organizations in the healthcare industry have been and continue to remain a comparatively “soft touch”, in the eyes of hackers, infiltrators, extortionists, and other cyber-criminal elements, and healthcare data breaches have become a common problem and a real threat.
A Poor Track Record
The statistics concerning the performance of the healthcare sector in terms of security make for dismal reading.
- Between 2015 and 2016, the Identity Theft Resource Center (ITRC) reported that the total number of security breaches in the U.S. increased by 40%.
- According to a Healthcare Breach Report from Bitglass, 328 individual healthcare breaches occurred in 2016 – up from the previous record of 268 instances in 2015.
- A February 2017 Accenture survey revealed that healthcare data breaches have affected 26% of U.S. consumers. That’s more than one in every four Americans.
- That same Accenture survey also discovered that 50% of breach victims eventually suffered medical identity theft, which ended up personally costing them an average of $2,500.
- Ponemon’s survey reveals that patient information losses average $2.2 million for a direct target breach, and over $1 million for a healthcare organization’s business partners.
- The Ponemon Institute survey also disclosed that 37% of the organizations polled reported experiencing cyber extortion from ransomware attacks in the 2018 fiscal year.
Healthcare data breaches represent a massive financial exposure to the industry. Even the loss of a single set of patient records can have expensive consequences, ranging from the Ponemon Institute’s 2016 estimated cost of $402 per leaked record suffered by a breached healthcare facility, to the potential for much higher personal financial losses, inconvenience, and reputational damage to the patient concerned.
Larger scale incidents have the potential to negatively impact significant numbers of people. For example, NewKirk Products – an issuer of healthcare ID cards for several organizations, including the massive Blue Cross Blue Shield health insurance group – suffered a data breach in mid-2016 which affected an estimated 3.47 million patients.
At the worst level, the Indianapolis-based Anthem (a Blue Cross facility) reported a data breach early in 2015 which caused the exposure of approximately 78.8 million patients, making this the largest healthcare data breach of all time.
Healthcare Data Breaches – A Slow Process of Evolution
That record-breaking Anthem data breach apparently occurred due to the opening of a single phishing email by an employee of one of Anthem’s subsidiary companies. A link in the message downloaded malware onto Anthem’s network, which enabled hackers to gain access to their database.
It seems that security awareness and cyber-security best practices are slow to catch on, in the healthcare sector. And cyber-security spending doesn’t appear to be a priority, in the eyes of most healthcare organizations. 40% of the respondents to a recent HIMSS survey said that only 1% to 2% of their organizations’ budgets goes to cyber-security.
Hardly encouraging, in a security landscape where most experts agree that hacking is becoming easier for the perpetrators – and one in which insider threats such as malice, mistakes, and negligence continue to be the leading cause of security breaches in the healthcare industry.
Some Signs of Hope
There’s some light in the darkness, however.
Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society, is of the opinion that healthcare organizations have been improving their cyber-security programs, overall. Institutions which employ a chief information security officer (CISO) tend to have better security cultures in place, and are better equipped to handle those incidents that occur.
There’s also an increasing willingness to disclose. In many of the document “name and shame” breaches, victims complained of having to discover for themselves that their data had been stolen or exposed, rather than hearing it from the healthcare body. Many healthcare organizations have previously been reluctant to report their data breaches, fearing a backlash in public trust and bad publicity.
But there’s still a long way to go.
Share this Post