The healthcare sector, which was short-staffed before the pandemic, has been stretched beyond the limits over the past two years. Healthcare workers have had to adopt an all-hands on deck philosophy of care to manage the massive volume of patients and dwindling supplies during Covid. As a result, hospitals and health systems are left with exhausted resources and staff shortages across all departments.
To a patient’s eye, these shortages are most evident when looking at the front line of healthcare – doctors, nurses, and hospital staff. But thin margins of critical skills staff within IT departments is also a reality and has added another layer of difficulty to the existing battle that only continues to increase in strength – cyberattacks. In 2021, cybersecurity breaches reached an all-time high, exposing a record amount of patient data. 45M individuals were affected by healthcare attacks, up from 34M in 2020. That number has tripled in just three years, growing from 14M in 2018.
Additionally, the cost of healthcare breaches is crushing. According to the latest data breach report by IBM and the Ponemon Institute, data breach costs in 2021 rose to $4.24M, a 10% rise from the average cost in 2019 which was $3.86M. But for healthcare, the numbers are much higher. For 11 consecutive years, the healthcare industry is paying the most for data breaches. The average cost increased by 29.3% from $7.13M in 2020 to $9.23M in 2021.
More Data = More Money
Data represents money, which is why the healthcare sector is so alluring to cyber criminals. The healthcare industry gathers and stores data within three highly sensitive areas: Protected Health Information (PHI), Personally Identifiable Information (PII) and patient financial information. It’s a lucrative trio for hackers, and the data will either be sold on the dark web or leveraged out for payment (via ransomware). The 2021 IBM study reveals that PII was the most common and most expensive type of record stolen in a data breach – averaging at $180 per record – and was included in 44% of all data breaches in 2021.
Attempts to launch cyberattacks on the healthcare industry will only become more commonplace as healthcare spending is predicted to increase up to $18 trillion by 2040.
Breach Causes and New Threats
Hacking/IT incidents continue to be the most common cause of breaches with an increase of 10% in 2021. Hacking was also responsible for the vast majority of individual records that were affected by breaches, which means those records were likely sold on the dark web, according to the report.
The U.S. Department of Health and Human Services (HHS) data indicates an uptick in hacking incidents at outpatient/specialty clinics as well, which saw a 41% increase in these types of breaches in 2021 compared to 2020.
As we step into 2022, hacking incidents continue to dominate the breach reports and account for 76% of January’s data breaches and 95.57% of the month’s breached records. In January’s largest reported breach, the protected health information of more than 1.35 million patients of Broward Health in Florida was stolen as hackers gained access to the Broward Health network via a third-party medical provider that had been given access rights to Broward Health’s systems.
Healthcare IT departments will continue to be stretched thin dealing with the pandemic-related crisis, but potential new threats always seem to be lurking in the shadows.
On March 2nd, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) issued a warning to the U.S. health sector about potential cyber threats that could spill over from the conflict in Ukraine and affect U.S. healthcare organizations.
“Russia’s unprovoked attack on Ukraine has, as expected, spilled over into cyberspace. The scope of conflict now includes allies on both sides, many of whom also bring cyber capabilities with them. As of March 1, 2022, the Department of Health and Human Services is not aware of any specific threat to the US Healthcare and Public Health (HPH) Sector. However, in the interest of being proactive and vigilant, we are briefly reviewing the cyber capabilities of Russia and its allies and specifically two malware variants most likely to be utilized in any collateral attacks which may impact HPH in this campaign.”
Why Healthcare Organizations Need Tokenization and Encryption
There are two options for healthcare organizations when considering a payment and data security strategy – they can “defend the fort” and put up stronger perimeter defenses, or they can “devalue the data” so that if a hacker makes it into the system, they find no clear-text information to leverage or sell.
Bluefin is a strong believer in devaluing the data, so that if a hacker does penetrate the perimeter, they find nothing of value.
Bluefin specializes in payment and data security solutions to protect healthcare organizations. Our flagship products include our PCI-validated point-to-point encryption (P2PE) solution for the protection of point-of-sale cardholder data and our ShieldConex® data security platform for the protection of consumer, medical and payment data entered online. Combined, P2PE and ShieldConex provide the most secure and holistic solution for healthcare data.