In 2015, the healthcare industry was the most attacked by cyber criminals according to a Cyber Security Intelligence Index by IBM. The data showed that over 100 million healthcare records were compromised during that year, from more than 8,000 devices in more than 100 countries.
This development unmasks a truth that can’t be hidden by the healthcare industry—it has become a prime target of cyber attacks. The healthcare industry is facing a host of cyber security issues, which has financial and reputational impact for hospitals and other healthcare institutions.
IBM’s Cyber Security Intelligence report is just one of a handful of industry findings that underscore the obvious: data in many healthcare institutions are being compromised every single day.
The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data released by the Ponemon Institute reveals more alarming facts and figures about data breaches in the healthcare industry.
The said study reported that data breaches has cost the healthcare sector $6.2 billion. The report said that nearly 8 out of 10 healthcare institutions were hit with two or more data breaches in 2014 and 2015. Moreover, 45 percent of healthcare institutions were affected with more than five breaches during the said period.
The report surveyed 91 healthcare institutions and 84 healthcare business partner institutions like pharmaceutical firms, IT and service providers and medical device makers.
In 2014, the US Department of Health and Human Services Office for Civil Rights reported that nearly 1.6 million people had their medical information stolen from health care providers. The bulk of those breaches were reported as “unauthorized access/disclosure,” while others were reported as “hacking” and “theft.”
Consulting firm Accenture believes that data breaches can cost the healthcare industry more than $300 billion of cumulative lifetime patient revenue over the next five years.
These alarming statistics can be attributed to the following cyber security risks that the healthcare industry should immediately and adequately address:
Limited spending on cyber security
One of the reasons why the healthcare industry is prone to cyber attacks is the limited budget allocated by healthcare institutions to cyber security investment.
According to Symantec, a leading enterprise security vendor, healthcare companies are notorious for their limited investments in cyber security. In a recent report, it cited the 2016 HIMSS Analytics Healthcare IT Security and Risk Management Study which says that healthcare companies are under spending on cyber security programs.
In comparison, the federal government spends 16 percent of its IT budget on security. Other industries also spend more for cyber security, such as banking and finance which allocate 12 to 15 percent of their IT budget on security programs.
Symantec believes that one of the reasons why the healthcare industry is prone to identity theft is because companies don’t’ spend enough on cybersecurity investments.
ABI Research backs up Symantec’s claims. According to the research organization, cybersecurity spending in the healthcare sector has been underwhelming. It estimates that investments in the industry against cyber attacks will only reach $10 billion worldwide by 2020. The firm says it is under 10 percent of the total spend on critical infrastructure security.
Auditing giant KPMG, meanwhile, reports that many healthcare companies aren’t prepared for cyber attacks.
In 2015, the company revealed in a report that 4 out of 5 healthcare executives in the US admitted that their IT has been compromised by hackers. The report also revealed that 53 percent of surveyed healthcare providers admitted to not being prepared against IT attacks.
High demand for medical records in the black market
The high demand for patients’ medical records in the black market is fueling the numerous cyber attacks that have hurt the reputation and finances of health care institutions.
According to the Federal Bureau of Investigation, electronic health records (EHR) are far more valuable than financial data. EHRs can sell for $50 in the black market, compared to just $1 for a stolen social security number or credit card number.
EHRs include names of patients, their birth dates, policy numbers, diagnosis codes, and billing information. This wealth of data can be used by fraudsters in different ways, such as creating fake IDs to buy medical equipment or medications that can be resold. Some cyber criminals combine a patient number with a false provider and then file claims with medical insurers.
EHRs are deemed more valuable because they are more difficult to detect. EHR theft takes almost twice as long as normal identity theft to be determined. Unlike stolen credit cards which can be canceled and fraudulent charges which can be disputed, medical identity theft is more complex and thus difficult to resolve.
This also means cyber criminals have more time to ‘milk’ the information they got from EHRs.
The high prices that EHRs command in the black market can also be the main reason why cyber attacks on health care institutions are rising at an alarming rate. Obviously, hackers can make a lot more money when they target healthcare institutions instead of banks and other financing firms. In fact, the percentage of healthcare organizations that have been attacked by cyber criminals rose to 40 percent in 2013 from just 20 percent in 2009. This only shows how much of a prime target hospitals and other healthcare providers are for cyber criminals.
Cyber criminals don’t even have to steal data from the computers of hospitals to be able to make a quick buck.
Ransomware is a new data security threat that has targeted and victimized a number of hospitals in recent years.
It also pertains to a type of malware that cyber criminals infect on a healthcare organization’s IT system, preventing the company from accessing certain files or sectors. Usually, the infected components become encrypted and the authorized user is then unable to access them. The hackers will then deliver a message containing instructions for sending payment or ransom in exchange for restored access to the affected system.
What makes ransomware even more complex is that cyber criminals demand that payment be made through bitcoins. Unlike credit cards, bitcoin payments are difficult to trace which aids hackers in eluding authorities.
Aside from the inadequate cyber security programs of hospitals and health care institutions, one reason why cyber criminals use ransomware to force these companies to pay up is due to the nature of healthcare operations. Hospital and healthcare providers need speedy access to patient data as well as a functional communications system. Thus these institutions are more likely to pay out instead of letting their operations be affected by this type of cyber attack.
Ransomware attacks are on the rise, unfortunately. Symantec reports that for the first quarter of 2016 alone, there has been an average of more than 4,000 ransomware attacks per day. This represents a 300 percent increase over the 1,000 attacks-a-day reported by the company in 2015.
Some of the companies which admitted paying out to cyber criminals include Hollywood Presbyterian Medical Center, which paid $17,000 to hackers in February this year, and MedStar Health based in Columbia, Maryland, which paid $19,000.
According to the Ponemon Institute, unplanned downtime at healthcare organizations may cost the company around $8,000 a minute per incident. This may explain why most hospitals would rather pay up than have to deal with major operational losses.
Bring Your Own Device (BYOD) policy
Healthcare companies are encouraging physicians, nurses, and other medical staff to bring their own devices like tablets, smartphones, and laptops to work. One survey showed that 81 percent of health care providers are now allowing their doctors and medical staff members to use their own iPads and other mobile devices at work.
However, 46 percent of those organizations indicated that they are not doing anything to secure those mobile devices. Moreover, 54 percent of them say they have no confidence at all that the employee-owned mobile devices used at work are secure at all.
Many cyber security experts believe that the BYOD policy can put organizations at risk from cyber attacks.
For one, mobile devices like laptops can be stolen from company offices and expose data of patients. There have been many instances of unencrypted laptops stolen from healthcare providers, such as Horizon Healthcare Services based in New Jersey, whose devices contain huge quantities of personal data including social security numbers. AMHC Healthcare in LA was also a victim of theft, with two unencrypted laptops containing data of about 700,000 patients stolen.
As such, healthcare organizations should be stricter when it comes to BYOD policies. For example, they should bar their employees from sharing personal health information through file sharing platforms to minimize risks of identity theft. They must also install third-party solutions on the devices of their employees, and find a way to locate and wipe the data on the device should the latter be stolen.
Although cyber attacks remain the leading cause of data breaches in the health care industry, there are still many security issues that were caused by negligent employees. An employee, for example, may open an email attachment that contains malware and compromise confidential information stored in a computer.
Hospitals and healthcare organizations can minimize the risks of cyber attacks if they have staff who are very much aware that carelessness can put their companies at the mercy of cyber criminals.
In a 2015 study by Wombat Security Technologies and the Aberdeen Group, it was found that employee training on cyber security can reduce the risk of a cyber attack from 70 to 45 percent.
The study underlines that few companies focus on the greatest evolving security threat—the end users themselves. It said that while investing on various IT security technologies can help mitigate risks of data theft, ransomware and other types of cyber crime, healthcare organizations should also focus on their personnel and make them more aware of these cyber attacks.
Hospitals, clinics, and other healthcare organizations are thus encouraged to educate their staff and train them in handling confidential information, particularly patient data. Employees should also be periodically tested for their level of security knowledge and trained in handling email safely and undertaking security best practices. Some healthcare institutions even work with an external security agency to develop the ability of their personnel to identify phishing emails and other forms of cyber attacks.
These are arguably five of the top cyber security risks facing the healthcare industry today. Suffice to say, if a hospital, clinic, or healthcare provider is able to deal with these risks very well, then it can significantly reduce its chances of being hit with a cyber attack.
Recent Top Cyber Security Risks in Healthcare Articles and Updates
- Who is Hacking Healthcare?
- How are Healthcare Organizations Most Vulnerable?
- Hackable Medical Devices
- Top Cyber Security Risks in Healthcare
- Does History Need to Repeat Itself? Lessons Learned From WannaCry
- HIPAA Security Rule
- The Healthcare IT Stack
- Security Technologies in Healthcare
- Healthcare Attack Statistics and Case Studies
- Security Leaders in Healthcare
- The Internet of Things in Healthcare
- Top 5 Emerging Security Technologies in Healthcare