As the dust settles on 2019 data breaches, it’s estimated that healthcare related data breaches will have cost the industry $4 billion. Healthcare records have so much valuable data that it is not surprising that healthcare has become hackers’ favorite new target – or that these breaches are sure to rise.
“Health information is a treasure trove for criminals,” Tom Kellermann, chief cybersecurity officer of Carbon Black, tells HealthTech. “By compromising it, by stealing it, by having it sold, you have seven to 10 personal identifying characteristics of an individual.”
The Ponemon Institute found that healthcare leads all industries with the highest cost of a data breach, $6.45 million, and the highest average compromised record cost at $429.
Hackers are After Valuable Data
Hackers are attacking healthcare organizations because they have personally identifiable information (PII) and personal health information (PHI) which they can use for malicious purposes including financial fraud, medical identity theft, identify theft, and phishing. Many people can’t afford or don’t qualify for health insurance so there is a market for this stolen information.
Chris Hinkley, director of Armor’s TRU, told HealthcareITNews.”Cybercriminals are very aware of the value these healthcare records possess,” he explained. “First, medical records contain an individual’s insurance credentials, and these are worth a lot, especially for someone who cannot qualify or afford medical coverage and needs an expensive medical procedure.”
One of the largest data breaches reported in 2019 was at the American Medical Collection Agency (AMCA). AMCA collected medical debt for healthcare organizations including Quest Diagnostics, LabCorp, and Inform Diagnostics. Unauthorized individuals had access to a web payment page and were able to obtain personal and financial payment information. Patients’ names, dates of birth, service dates, medical service providers, health insurance information, and other medical information was stolen. And a portion of the patients had their social security numbers, credit/debit card number, and/or financial information exposed. There was a total of 24,390,307 records exposed.
AMCA spokesperson Jennifer Kain said in a statement, supplied through crisis communications firm Brunswick Group, that it was “investigating” the breach.
“Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page,” said the spokesperson.
Why Is Healthcare an Easy Bull’s-eye?
Malicious software, also referred to as malware, is one of the biggest threats to the healthcare industry because it can go undetected for a long time and it is easy for cyber thieves to gain access to a healthcare organization’s servers and devices. In March 2018, a surgical center affiliated with St. Peter’s Hospital in Albany, NY, was hit by a computer breach. It is estimated that 135,000 patient records were compromised. Hackers installed malware on computer servers.
Phishing scams have become a very popular way for cyber thieves to get valuable data. The cyber thieves target a handful of employees that have access to sensitive information at a company. The less employees they target, the more likely they will go unnoticed. In January, PIH HEALTH detected several employee accounts had been compromised. It was reported that nearly 200,000 patient’s data were potentially compromised after a targeted phishing campaign.
Sometimes, cyber criminals don’t sell patient’s information – they hold it hostage and demand ransom from the hospital or the healthcare provider to get a “key” which unlocks the data. In June 2019, an estimated 85,000 patient’s data were affected in a ransomware attack at Grays Harbor Community Hospital, in Aberdeen, WA. Hackers demanded the ransom in bitcoin, a cryptocurrency, and requested $1 million The FBI advised Grays Harbor Community Hospital and Harbor Medical Group not to pay the ransom demand, according to the organizations.
Grays Harbor Community Hospital CEO Tom Jensen said, “As with many other organizations, we thought we were well prepared, and we were still victimized,” Jensen said in a statement. “We are proud of the efforts of our providers and staff continuing the same level of excellent patient care during this setback.”
Encryption and Tokenization are Key to Protecting Healthcare Data
Healthcare organizations can implement a number of initiatives to go from reactive to proactive in the fight to secure patient data. Efforts include recurring exercises designed to test their own system’s vulnerability as well as putting measures in place to reduce the loss or theft of laptops and other devices within the hospital system that contain data, which account for 65% of the data breach incidents reported to the U.S. Department of Health and Human Services.
Additionally, healthcare data encryption is a “particular imperative,” and one that should also be considered for other organizations when it comes to protecting personal data stored on laptops, desktop computers, and mobile devices, according to California Attorney General Kamala D. Harris in the California Data Breach Report. And it is why major healthcare associations, such as HIMSS, are devoting entire programs to cybersecurity and encryption at their annual conferences.
Bluefin specializes in payment and data security solutions for the healthcare industry, including PCI-validated Point-to-Point Encryption (P2PE), which safeguards cardholder data entered at the point of sale or over the phone, and tokenization of Personally Identifiable Information (PII), Personal Health Information (PHI), and payment data entered online with our ShieldConex® platform. We are a staunch advocate of devaluing all valuable data and taking a holistic approach to security. Contact us to learn more about our solutions.