The case with Apple and the FBI has pushed the topic of encryption (and decryption) to the forefront of everyday discussion. And it is sure to be a hot topic at this week’s annual HIMSS Conference & Exhibition, the leading show for 40,000 Healthcare IT professionals. Healthcare is the new darling of cyberthieves thanks to the black market value of healthcare data, and patient data encryption and payment encryption are key tools in the fight against hackers. Stop by Bluefin’s booth #4075 to learn more about our PCI-validated Point-to-Point Encryption (P2PE) solutions for healthcare.
Healthcare Data is Highly Lucrative
It is isn’t difficult to see why healthcare is a growing hacker target. With troves of sensitive patient information being gathered – social security numbers, medical records, and payment information – this data has incredible value. In fact, the Ponemon Institute’s 2015 Cost of Data Breach Study found the average cost per lost or stolen record to be $154. That number skyrockets to $363 on average for healthcare organizations.
Not surprisingly, 2015 racked up a significant number of data breaches – 781 according to the Identity Theft Resource Center (ITRC), with a whopping 277 of these in healthcare with a whopping 112 million records in this segment alone exposed.
In 2015, 98% of recorded healthcare leaks were due to large-scale breaches targeting the industry. Some examples of big 2015 hacks include Premera Blue Cross hack, involving 11 million customers, and the Anthem hack, which resulted in 78.8 million leaked customer records.
Healthcare IT Systems are an Open Target for Malware
Cyber thieves have caught on to the fact that hospitals and other healthcare organizations are full of vulnerabilities that are easy to exploit. The Raytheon/Websense 2015 Industry Drill-Down Report – Healthcare found that the healthcare sector is four times more likely to suffer advanced malware attacks than is any other industry.
“The rapid digitization of the healthcare industry, when combined with the value of the data at hand, has lead to a massive increase in the number of targeted attacks against the sector,” said Carl Leonard, Raytheon|Websense principal security analyst. “While the finance and retail sectors have long honed their cyber defenses, our research illustrates that healthcare organizations must quickly advance their security posture to meet the challenges inherent in the digital economy – before it becomes the primary source of stolen personal information.”
Hackers at Independent Security Evaluators, a Baltimore-based research group, spent two years studying cybersecurity flaws in hospitals by hacking into their systems (without malicious intent). The research team was easily able to take control of the hospital’s network, simply by entering the hospital lobby and using one of the provided kiosks to access patient’s monitors to disable hospital alarms and, shockingly, even tamper with bloodworm requests. The group’s findings determined that focusing on cybersecurity of the patient record wasn’t enough. In the hands of the wrong person, access to these critical areas in a hospital network could put patient lives at risk. Keeping patient records safe is a priority, but clearly, more needs to be done to protect every aspect within the hospital system.
The results of the study are alarming, but security experts have been trying to warn healthcare providers about network safety for quite some time.
As far back as April 2014, the FBI warned healthcare providers that their cybersecurity systems were weak compared with those of other industries, meaning they were vulnerable to attacks by hackers. If the FBI’s warning isn’t compelling enough to move healthcare organizations to action, the example of high-profile data hacks against companies such as Anthem should be. Accenture estimates that between 2015 and 2019, healthcare providers could lose $305 billion in cumulative lifetime revenue from patients impacted by medical identity theft. Since a large number of data intrusions are detected as much as eight months after the initial hack — meaning organizations may not realize that intruders are already working in their environment — it’s high time for healthcare organizations to improve their security systems and processes.
Encryption is a Key Factor in Healthcare Cybersecurity
Healthcare organizations can implement a number of initiatives to go from reactive to proactive in the fight to secure patient data. Efforts include routine exercises designed to test their own system’s vulnerability as well as putting measures in place to reduce the loss or theft of laptops and other devices within the hospital system that contain data, which account for 65% of the data breach incidents reported to the U.S. Department of Health and Human Services.
Additionally, healthcare data encryption is a “particular imperative,” and one that should also be considered for other organizations when it comes to protecting personal data stored on laptops, desktop computers, and mobile devices, according to California Attorney General Kamala D. Harris in the a California Data Breach Report released last week. And it is why major healthcare associations, such as HIMSS, are devoting entire programs to cybersecurity and encryption at their annual conferences.
Bluefin specializes in Point-to-Point Encryption (P2PE) for the healthcare industry. Validated by the PCI Security Standards Council, Bluefin’s P2PE suite of solutions ensure that credit card information is encrypted at the Point of Interaction (POI), so that is cannot be read/decrypted at any point within the merchant’s network. Bluefin is working on using its technology to encrypt data sources outside of payments, including those found in medical records.