As someone deeply involved in the data security business, I am often asked why the healthcare industry seems to have suffered through a series of high-profile breaches over the past few years. A recently released research paper sponsored by Trend Micro provides some startling statistics that shed abundant light on the subject.
Stealing Patient Healthcare Records is Lucrative
The healthcare sector has been the industry with the highest number of data breaches, followed by the government and retail sectors. In 2015, a total of 113.2 million healthcare-related records were stolen, which remains the highest number of stolen data from a breach in the healthcare industry so far. That year, however, was not the only time healthcare institutions were targeted. As early as 2012, healthcare institutions became victims of cyber-attacks. The most common kind of attack is a data breach.
Complete electronic health record (EHR) databases can fetch as much as $500,000 on the Deep Web, and attackers are also making their money from individial medical records. Stolen personal data are used by cybercriminals to procure drugs, commit tax fraud, steal identities and commit other fraudulent acts, and sell for anywhere between $1 and $5 per patient record.
Healthcare Organizations Have Limited Focus on IT Security
The Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security Health Care Data in May 2016, highlighted these points:
Existing, Proven Security Technologies Are Not Being Universally Applied
Despite Health Insurance Portability and Accountability Act (HIPAA) laws being designed to protect patients against loss, theft or the disclosure of patients’ sensitive medical information, many healthcare entities have not implemented basic safeguards like encrypting data or using a two-factor authentication process, which are risk management tactics that were recommended since 2006. In fact, HIPAA recommends the use of strong encryption and for Secure Sockets Layer (SSL) to be the minimum requirement for all internet-based systems, including corporate web email systems.
According to a survey by the Healthcare Information and Management System Society (HIMSS), about 68.1% of hospital providers and less than half of medical practice providers encrypt data in transit and are sending protected health information in the clear. As for stationary data, 61.3% of hospitals are encrypting stored data and 48.4% of medical practice providers are encrypting stored data. Without encryption, data in transit can be captured through eavesdropping, packet sniffing, or through other attack methods.
Everyone Pays When Breaches Occur
From October 2009 to December 2016, the Office for Civil Rights logged 1,798 data breach incidents involving healthcare organizations. According to Verizon’s 2016 Data Breach Investigations Report (DBIR), It is estimated that cyber-attacks against hospitals, clinics and doctors cost the U.S. healthcare industry more than $6 billion a year, with an average data breach costing a hospital $2.1 million.