Data breaches have become a common occurrence in every industry. In healthcare, however, it costs much more to respond to a data breach than in all other industries in the United States, according to IBM and Ponemon Institute’s 2017 Cost of Data Breach Study. However, healthcare providers can take proactive steps to reduce their reputational damage and cost if a data breach does occur. On August 2nd at 1 pm EST, we will host an educational webinar for Healthcare Organizations on the role that PCI-validated Point-to-Point Encryption (P2PE) plays in encrypting patient payment data and making cardholder information useless to hackers.
The State of Healthcare Data Breaches
It is no secret that cyber thieves love to target the healthcare industry. Recent reports show that healthcare is now the most heavily attacked field, even above the highly reported large retailer breaches as well as breaches within the financial services sector. Described as the year of the healthcare data breach, 2016 saw 376 healthcare data breaches, with 1 in 3 Americans affected – that is approximately 16 million records stolen with a price tag of $5.6 billion in damages.
With so many pieces of data to choose from, cyber thieves can sell off bits of compromised records for multiple fraudulent acts including credit card fraud, insurance fraud and identity theft. The Ponemon Institute reports that in 2016, the average cost per breached consumer record was $141. That number skyrocketed to $380 per record for healthcare organizations.
Why do hackers breach healthcare systems? To find valuable data that can be resold on the black market – especially payment data. As in the multi-million-dollar Anthem and Target data breaches, malware was the culprit and is responsible for a large percentage of point-of-sale (POS) breaches – to the tune of 5 malware attacks every second or 170 million each year. Hackers break into networks through a faulty firewall or third-party vendor, and once in they are able to install malware that locates unencrypted credit card information — which is then sent to remote servers, packaged and resold to fraudsters.
Hacks Have Taken a Toll on the Healthcare Industry
Looking back at the last few years, it is safe to say that healthcare organization have suffered more than their fair share of data breaches, and there are no clear signs of healthcare breaches slowing down.
In February of 2015, fraudsters used malware to steal troves of information from Anthem Inc. Names, birthdays, medical IDs, Social Security numbers, street addresses, e-mail addresses and employment information, including income data, were stolen from Anthem’s 80 million customers – even their own CEO.
Although Anthem was quick to report the breach to the FBI, the clean-up aftermath continues two years later, with Anthem agreeing to pay $115 million to resolve consumer claims and class-action lawsuits – the largest data breach settlement in history.
2016 did not show any improvement. In fact, 2016 was by far the worst yet in reported data breaches, with an all-time record high of 1,093 across all industries and 376 incidents within the healthcare sector alone, representing a 34.5% of the overall total in breaches for 2016.
To this end, a recent year-in-review Breach Barometer report from Protenus revealed that 2016 averaged at least one health data breach per day, affecting more than 27 million patient records. If 2016 trends continue, according to those report authors, 2017 can expect to see a continued average of at least one health data breach disclosed per day.
As expected, 2017 is on target to become another record-breaking year for healthcare breaches. With dozens of reported breaches showing an increase in hacking and theft incidents, as well as an increase in human error, millions of patient records have become exposed or stolen and remain vulnerable to hackers looking to sell the valuable data on the black market.
Figures for the first quarter of 2017 show data breaches have increased, with rises in theft incidents, hacks and unauthorized disclosures. Between January 1st, 2017 and March 31st, 2017, OCR received 79 data breach reports from HIPAA covered entities and business associates. Those breaches have resulted in the theft or exposure of 1,713,591 healthcare records. While fewer individuals have been impacted by healthcare data breaches than in the equivalent period last year, the number of reported breaches has increased by more than 23%.
PCI-Validated P2PE is A Proactive Payment Security Solution
There are two security paths that healthcare organizations can take in the fight against malware: Defend the Fort or Devalue the Data. With the Defend the Fort approach, organizations build stronger, higher and more expensive walls of security around their systems and data. With the Devalue the Data approach, companies employ security technology to devalue cardholder data before it reaches their systems and networks, rendering the data useless to hackers if it is exposed.
In order to protect clients and their data, healthcare organizations are turning to security technologies such as PCI-validated Point-to-Point Encryption (P2PE) to encrypt credit card and debit card data, while reducing PCI DSS assessment scope.
In March 2014, Bluefin became the first North American company to receive validation by PCI for a P2PE solution. Bluefin’s PCI-validated P2PE solutions encrypt cardholder data at the Point of Interaction (POI), preventing clear-text cardholder data from being present in a system or network where it could be accessible in event of a data breach.