It is no secret that cyber thieves love to target the healthcare industry. Recent reports show that healthcare is now the most heavily attacked field, even above the highly reported large-retailer breaches as well as breaches within the financial services sector. Described as the year of the healthcare data breach, 2015 saw 253 healthcare data breaches, with 1 in 3 Americans affected – that is approximately 112 million records stolen with a price tag of $5.6 billion in damages. Healthcare organizations such as Children’s Healthcare of Atlanta and our new Decryptx partner, OnPlan Health, view P2PE as a necessary solution to protect a very important element of patient data – credit card information.
It is hard to believe the numbers, but a new study released by the Ponemon Institute proves that a shocking “90 percent of healthcare organizations were the victims of a data breach in the past two years, and 45 percent had more than five data breaches during that same time period.”
“The fact that healthcare is bearing the brunt of cyberattacks is no surprise, given the unique black market value of the complete sets personal information sitting in electronic medical records, including patient names, family history, Social Security Numbers, and billing information,” commented Dylan Sachs, director of identity theft and anti-phishing for security vendor BrandProtect.
With so many pieces of data to choose from, cyber thieves can sell off bits of data here and there for multiple fraudulent acts including insurance fraud, phishing scams, and identity theft, plus many more. It’s a lucrative industry for cyber thieves to hack, and the Ponemon Institute reports that the average cost per lost or stolen record is $154. That number skyrockets to $363 on average for healthcare organizations.
Patient data is not only valuable, it’s highly vulnerable – and hackers know it. While many of the breaches can be the result of an employee error, we are seeing more hackers breaking into networks to steal patient data. Of the reported breaches in the Ponemon study, criminal attacks were the leading cause, with malware, phishing and denial of service attacks as well as ransomware listed as the top cyber threats facing healthcare organizations.
Although Ponemon reveals the grim truth surrounding healthcare data breaches, there is, however, a hint of promise that healthcare providers are taking steps towards safeguarding their data.
“While employee negligence and lost/stolen devices used to be a primary causes of data breaches, criminal attacks are now the number-one cause,” said Dr. Larry Ponemon, Chairman and founder, Ponemon Institute. “Since first conducting this study, healthcare providers are starting to make investments to protect patient information, which need to keep pace with the growing cyber threats.”
A Proactive Response
Could it be that the healthcare industry is taking some important steps towards cybersecurity adoption? Looking at predictions for 2016, the answer is a necessary yes from Forbes healthcare contributor Dan Munro:
“In 2016, we’re going to see a huge movement towards encryption in hospitals and other healthcare facilities in order to protect EHRs and other vulnerable PHI. Encrypting data is vital to protecting patient information. Recent privacy and security laws, like those from New Jersey, are mandating that insurance carriers must encrypt personal information. This will logically include anyone that deals with the carriers and handles PHI.”
Some healthcare providers have already made giant strides by adopting encryption technologies to keep their data safe, and in the process, becoming leaders on the forefront of data protection.
Case in point is Children’s Healthcare of Atlanta (CHOA). As one of the largest pediatric clinical care providers in the U.S. and home to one of the top pediatric surgery programs in Georgia, CHOA saw the need to protect their patients’ credit card information with one of the most secure technologies available – Bluefin’s PCI- Validated Point-to-Point Encryption (P2PE). We asked CHOA’s Corporate Treasury Manager, Selwyn Carter, what made CHOA interested in implementing a P2PE solution.
“Due to the complexity of our hospital network, we wanted to implement a solution that would provide our customers with the most secure method of processing a credit card transaction at our various locations. We implemented Bluefin’s P2PE technology to reduce the number of applicable PCI DSS requirements for our cardholder data environment (CDE) and to provide our customers with the most secure technology available in the market for their data.”
And then there are companies such as OnPlan Health, which partner with Bluefin to provide our PCI P2PE solution on their proprietary platform and direct to their healthcare clients.
“As credit card transactions continue to rise along with the risk of cardholder breach, healthcare providers are beginning to realize the security and compliance impact of taking payments over the phone or in person using web services, where malware could compromise card entry,” said David King, OnPlan’s Chief Technology Officer. “Bluefin is aligned with OnPlan’s vision, technology and strategy to deliver a simple and elegant solution tailored for the complex healthcare payment ecosystem.”
The good news is that healthcare organizations are recognizing that there are solutions available to proactively stop the bleeding – and they are starting to adopt them.