Is Enough Being Done to Prevent Healthcare Security Breaches?
The healthcare sector is in trouble, and the threat is only growing. A cybersecurity survey by IBM revealed that, in 2015, healthcare was the most frequently attacked industry, replacing financial services. That trend continues into 2016, with digital security provider Gemalto reporting that healthcare leads all industries in data breaches. And, according to the a summary report by the Identity Theft Resource Center (ITRC), medical and healthcare sector security incidents made up more than a third of all breach incidents identified by the ITRC in 2016. More recently, Experian’s 2017 Data Breach Industry Forecast predicts that healthcare will be the most targeted industry, with even bigger, more sophisticated attacks on the horizon.
This alarming trend has resulted in a number of hard lessons for healthcare facilities worldwide. One of the biggest data breaches of 2016 took place in June when Banner Health, a prominent US-based healthcare organization, experienced a security breach that exposed as many as 3.7 million patient records. In addition to the personal information of patients, sensitive data belonging to health plan members and their beneficiaries may have been compromised as well. The incident was among the top five healthcare data breaches in 2016, all of which were the result of cybersecurity attacks.
These kinds of security incidents don’t come cheap. In the aftermath of the data breach, Banner Health was hit with a wave of litigation, including both civil and class-action lawsuits. A recent report by the Ponemon Institute, which looked at 64 US companies in 16 industries, showed that security incidents in 2016 cost companies an average of $221 per lost or stolen record. But highly regulated industries like healthcare incurred substantially higher costs in the wake of a security incident due to large fines and an above average loss of business.
Medical records are a prime target.
The market for stolen medical records is booming. After healthcare data is taken, it often resurfaces on the “dark web,” a hidden network of websites only viewable using special software. The encryption systems used to access the dark web allow hackers and criminals to anonymously engage in illegal transactions that are difficult or impossible for authorities to trace. From credit card data to social security numbers, an alarming amount of personal information is illegally traded on the dark web every day. But according to Insight National Account Manager Brian Cea, medical records are particularly valuable.
Cea, a veteran of 20 years in the healthcare industry with a focus on healthcare IT for over a decade, says there are a couple of reasons medical records are targeted. “The value of a patient record is significantly larger on the black market than a typical credit card. Selling a credit card number on the black market may get you $5 to $10, where a patient’s record can get up to 10 times that depending on what is contained in the stolen information,” says Cea.
“The second reason is that most healthcare organizations are woefully unprepared to not only stop an attack but to respond when the malicious activity is already in their environment. In a lot of recent cases, hacks occurred months prior to detection, giving the attackers unlimited access to patient records and other information,” Cea adds.
And while hackers target patient data for its value on the black market, their buyers have far more nefarious purposes in mind. Identity thieves use information contained in medical records to create fake IDs, initiate fraudulent insurance claims, commit Medicare/Medicaid fraud and more. Patient data is even used to carry out tax fraud. In fact, the IRS expects fraud losses to grow to $21 billion in 2016.
“Despite all the recent attacks, acceleration of government fines, civil law suits and damage to reputation, most organizations do not make cybersecurity a priority. They choose to be reactive instead of proactive, and this makes it easier for cyber criminals to be one step ahead,” says Cea.
Getting a risk assessment
Because many medical treatment centers, health insurance companies and healthcare manufacturers have few or no security measures in place to protect their IT infrastructures, they’re rife with vulnerabilities that leave them wide open for attack. Even when security protocols are in place, employee security awareness is often overlooked.
“The INFOSEC Institute points out that most healthcare organizations are not using the latest technology in the battle against cyberattacks. Most organizations only protect the front line intrusion but forget to protect all access points,“ says Cea. “One of the first things to consider is getting a security risk analysis, sometimes called a HIPAA risk assessment. This is key to knowing where there are soft access points for an attack to occur. The analysis will also indicate how companies can improve employee education, protocols to be followed — such as a cyber incident response plan — and ways to improve what happens when an attack is identified.”
As Cea explains, security breaches can come in many different forms. He cites one example where a team of independent security evaluators hacked a hospital by using malware-infested USB drives with the hospital’s logo on it. “Employees used these drives and gave [the evaluators] access to the hospital’s systems. Attacks can be delivered both internal and external and nothing should be taken for granted,” says Cea. He adds that keeping data secure isn’t just about protecting systems from an external attack. Education of employees is critical, as well as establishing protocols to be followed in the event of an attack and being able to identify when a security breach has occurred in order to isolate the incident.
“Without real-time detection or skilled IT personnel, cyber attackers can have their way within an environment to steal at will. This can be months — and in some recent cases — even up to a year,” says Cea.
Preparing for potential security breaches
With the threat landscape rapidly evolving and expanding, now is the time for organizations to implement solutions to get ahead of the cyberthreat trend. “The most important thing a healthcare organization can do is prepare for the worst,” says Cea. After completing a thorough risk assessment to identify and secure potential access points and vulnerabilities, he recommends creating a cyber incident response team, training employees on security protocols and ensuring plans are in place to handle a data breach if it occurs. “Isolating the attack is critical to minimizing further intrusion into the environment,” says Cea. He adds that another critical step many IT teams overlook is documenting and reporting a cyberattack to help others fight ongoing attacks.
Making IT security a top priority when budgeting is also key to fighting threats and minimizing vulnerabilities. “Cybersecurity spend for healthcare protection will only reach $10 billion globally by 2020, just under 10% of the total spend on critical infrastructure security,” says Cea. “Ensure you are getting the proper risk assessments completed and are able to be proactive instead of reactive. It will save the organization money in the long run.”
There’s nothing trivial about what might be saved. According to Forbes Magazine, the global cost of cybercrime will be $2 trillion by 2019. That’s up from $100 billion in 2012 and more than enough to financially devastate some organizations. Even organizations with the best security protocols in place are susceptible to data breaches. That’s why it’s important for healthcare facilities and insurers to have a plan for dealing with the aftermath of a security incident — limiting the effects on the organization and the patients it serves.