In 2017, the Ponemon Institute released a study that found a whopping 90% of healthcare organizations were the victims of a data breach in the past two years. Ashe Health Facilities Management reports that healthcare is now the most heavily attacked industry – rising above the highly reported large retail data breaches as well as breaches within the financial services sector.
Why is Healthcare Data So Attractive?
Not surprisingly, healthcare organizations must collect troves of patient data to effectively treat, track and bill us. This makes hospitals, clinics and any organization serving patients a prime hacker target. Cyber thieves who target healthcare organizations have two main objectives in mind:
- There is a lot of valuable information in patient’s files that can be resold on the black market; this information includes Social Security numbers, birthdates, payment information, family history, and much more. According to Ponemon’s 2017 Data Breach report, the average cost of a data breach was $3.62 million globally – a 10% decline from their 2016 survey. However, healthcare data breaches cost organizations $380 per record. That is more than 2.5 times the global average across industries at $141 per record.
- Due to the high cost of health insurance and medical procedures, criminals sometimes assume someone’s identity to get medical services. Forbes reported that in 2016, there were 27 million medical records breached and many of those patient’s identities were stolen. Not only does it hurt the victim’s credit score, but it also affects their future medical care. And it can take years for victims to find out that their identity was stolen. Often, they won’t find out until they get a collections call from their doctor’s office, or if they are disputing an insurance claim. But once the victim finds out, the damage has already been done.
Thanks to how much valuable information healthcare organizations intake, process and store, they are a prime target for hackers and breaches are on the rise. The Department of Health and Human Services’ Office for Civil Rights (OCR) started publishing summaries of data breaches in 2009 – and 2017 marked the year of the most reported breaches since they started publishing the summaries.
But if you think it’s only the big guys like Anthem that are targeted – think again. Healthcare Analytics News reported in May that Michigan’s Holland Eye Surgery and Laser Center appeared on the OCR data breach reporting portal after they failed to report a breach that happened to them. Since 2016, the hacker, who calls himself “Lifelock,”breached the practice’s system and attained tens of thousands of patient records – which the hacker then sold on the dark web. Lifelock claims to have had reached out to the practice over 30 times, demanding a $10,000 security fee to remain quiet, but the physicians didn’t respond to Lifelock. It is very common for hackers to reach out to their victims, asking for hush money.
Holland Eye claims that they were unaware of the breach until March 2018 – and that the date the business first became aware of the hack was 60 days before it issued the warning and reported it to OCR. OCR must be notified by entities exactly 60 days following detection of a data breach to avoid penalties. This difference in the dates that Holland Eye and Lifelock reported raised red flags and is being investigated.
The good news for patients is their safety is being taken seriously and measurements have been put in place to protect their identity. The bad news is for many patients their information has already been sold on the dark web.
How Do Healthcare Breaches Happen?
Employee mistakes are one of the many reasons that breaches are occurring, but increasingly they are happening due to hackers breaking into vulnerable networks and stealing patient’s data. Of the reported breaches in the 2017 Data Breach Study published by the Ponemon Institute, criminal attacks were the leading cause, with malware, phishing and denial of service attacks as well as ransomware listed as the top cyber threats facing healthcare organizations.
Malicious software is one of the biggest threats to the healthcare industry because it can go undetected for a long time and it is easy for cyber thieves to gain access to a healthcare organization’s servers and devices. Timesunion reported in March that a surgical center affiliated with St. Peter’s Hospital in Albany, NY, was hit by a computer breach. It is estimated that 135,000 patient records were compromised. Hackers installed malware on computer servers.
Phishing scams have become a very popular way for cyber thieves to get valuable data. The cyber thieves target a handful of employees that have access to sensitive information at a company. The less employees they target, the more likely they will go unnoticed. In the large-scale Anthem breach, Banking Info Security reported on the hackers’ phishing attempts. Five Anthem employees were pursued at Anthem Inc., and once the cyber thieves had one of the employees’ passwords, they had access to sensitive data.
Sometimes cyber criminals don’t sell patient’s information – they hold it hostage and demand ransom from the hospital or the healthcare provider to get a “key” which unlocks the data. In 2016, this happened to 10 MedStar hospitals in Maryland and in the District of Columbia. MedStar, like many other hospitals, had started using electronic medical files to give better patient care. The Baltimore Sun reported that instead of stealing patient’s information, the data was locked up by cyber thieves. The thieves were holding the patient’s files ransom, and required payment in bitcoin in exchange for the digital keys to unlock the encrypted data. Fortunately, in this situation, the data was not stolen and the ransom was not paid; however, patients went days without being treated due to not be able to access patient’s medical records.
Information security teams in the healthcare industry face many challenges when it comes to keeping their networks safe. ISACA’s 2017 State of Cybersecurity Study found that in 2016, 53% of security leaders had no formal process in place to address ransomware attacks, and 31% of organizations did not routinely test their security controls.
Encryption is Key to Protecting Healthcare Data
Healthcare organizations can implement a number of initiatives to go from reactive to proactive in the fight to secure patient data. Efforts include recurring exercises designed to test their own system’s vulnerability as well as putting measures in place to reduce the loss or theft of laptops and other devices within the hospital system that contain data, which account for 65% of the data breach incidents reported to the U.S. Department of Health and Human Services.
Additionally, healthcare data encryption is a “particular imperative,” and one that should also be considered for other organizations when it comes to protecting personal data stored on laptops, desktop computers, and mobile devices, according to California Attorney General Kamala D. Harris in the a California Data Breach Report released in 2016. And it is why major healthcare associations, such as HIMSS, are devoting entire programs to cybersecurity and encryption at their annual conferences.
Bluefin specializes in Point-to-Point Encryption (P2PE) for the healthcare industry. Validated by the PCI Security Standards Council, Bluefin’s P2PE suite of solutions ensure that patient credit card and debit card information is encrypted at the Point of Interaction (POI), so that is cannot be read/decrypted at any point within the merchant’s network. Bluefin is working on using its technology to encrypt data sources outside of payments, including those found in medical records. Learn more about our security technologies for Healthcare.