Zettaset Blog

Why Healthcare is a Prime Target for Cybercriminals

As someone deeply involved in the data security business, I am often asked why the healthcare industry seems to have suffered through a series of high-profile breaches over the past few years. A recently released research paper sponsored by Trend Micro provides some startling statistics that shed abundant light on the subject.

Stealing Patient Healthcare Records is Lucrative
The healthcare sector has been the industry with the highest number of data breaches, followed by the government and retail sectors. In 2015, a total of 113.2 million healthcare-related records were stolen, which remains the highest number of stolen data from a breach in the healthcare industry so far. That year, however, was not the only time healthcare institutions were targeted. As early as 2012, healthcare institutions became victims of cyber-attacks. The most common kind of attack is a data breach.

Complete electronic health record (EHR) databases can fetch as much as $500,000 on the Deep Web, and attackers are also making their money from individial medical records. Stolen personal data are used by cybercriminals to procure drugs, commit tax fraud, steal identities and commit other fraudulent acts, and sell for anywhere between $1 and $5 per patient record.

Healthcare Organizations Have Limited Focus on IT Security
The Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security Health Care Data in May 2016, highlighted these points:

  • About half of all organizations have little or no confidence that they can detect all patient data loss or theft.
  • The majority of healthcare organizations still lack sufficient budget for security that will be used to curtail or minimize data breach incidents. A majority also believes that their incident response process has inadequate funding and resources.
  • The majority of healthcare organizations have not invested in the technologies necessary to mitigate a data breach, nor have hired enough skilled IT security practitioners.
  • The budget for security of most healthcare organizations has declined by 10%, while that of more than half of the organizations have remained static and most healthcare organizations believe they don’t have the budget to properly protect data

Existing, Proven Security Technologies Are Not Being Universally Applied
Despite Health Insurance Portability and Accountability Act (HIPAA) laws being designed to protect patients against loss, theft or the disclosure of patients’ sensitive medical information, many healthcare entities have not implemented basic safeguards like encrypting data or using a two-factor authentication process, which are risk management tactics that were recommended since 2006. In fact, HIPAA recommends the use of strong encryption and for Secure Sockets Layer (SSL) to be the minimum requirement for all internet-based systems, including corporate web email systems.

According to a survey by the Healthcare Information and Management System Society (HIMSS), about 68.1% of hospital providers and less than half of medical practice providers encrypt data in transit and are sending protected health information in the clear. As for stationary data, 61.3% of hospitals are encrypting stored data and 48.4% of medical practice providers are encrypting stored data. Without encryption, data in transit can be captured through eavesdropping, packet sniffing, or through other attack methods.

Everyone Pays When Breaches Occur
From October 2009 to December 2016, the Office for Civil Rights logged 1,798 data breach incidents involving healthcare organizations. According to Verizon’s 2016 Data Breach Investigations Report (DBIR), It is estimated that cyber-attacks against hospitals, clinics and doctors cost the U.S. healthcare industry more than $6 billion a year, with an average data breach costing a hospital $2.1 million.

Our Resources
Solution Briefs
White Papers
Application Briefs