Risks in Healthcare Cybersecurity and How to Avoid Them
Healthcare Cybersecurity Statistics 2019
- This year, there have been 3.68 million individuals affected by data breaches currently under investigation by the U.S. Department of Health and Human Services.
- Healthcare data breaches are reported at a rate of one per day.
- Security company Cybersecurity Ventures predicts that healthcare will incur two to three-times more cyber-attacks than the average of all other industries.
- The most common locations of breaches to patient health information (PHI) are email, printed documents, and a company’s network server.
- Hacking and IT-related incidents account for most data breaches. Other causes include misuse of administrative privilege, improper disposal, theft and unauthorized access.
What is Data Privacy in Healthcare?
The most widely agreed upon standard for data privacy in healthcare comes from the HIPAA Privacy Rule which establishes national standards to protect patient medical records and health information. The rule requires appropriate safeguards for ensuring the privacy and security of PHI including who is covered by the privacy rule, the type of information that’s protected, and limitations in how PHI can be used by a company or practice.
Sensitive healthcare data can include patient data like PHI, payment records, payer and provider employee data, and data related to wired and wireless IoT (Internet of Things) medical devices. 47 states have laws that require security breaches involving personal data to be reported to the authorities in addition to HIPAA’s Privacy Rule.
Importance of Data Security in Healthcare
Why is information security important in healthcare? For starters, it’s a market opportunity, and it’s a goldmine for criminals! Cyber criminals cost the global economy over $400 billion a year, according to estimates by the Center for Strategic and International Studies. As we saw with Target in 2013, just one data breach can throw a $145 million wrench in the cogs. Healthcare data breach costs are the highest of any industry at $408 per record. While credit card information and PII sell for a couple dollars on the dark web, patient health information can sell for as much as $363 according to the Infosec Institute.
Types of Healthcare Data Security Threats
One of the best preventative measures you can take to secure your company’s data is to educate yourself on the methods used by hackers to access PHI. Most threats are a combination of software and social engineering.
- Ransomware – Ransomware is a type of malicious software where an attacker holds a user’s system or personal information hostage in exchange for payment. The healthcare industry accounted for 88% of all ransomware attacks in the U.S. in 2016.
- DOS Attacks – DOS or denial-of-service attacks are a type of attack where your server is bombarded with traffic requests to overwhelm and shut the service down. Like Ransomware attacks, DOS is often used to hold a web-based service hostage.
- Phishing – A phishing scam tricks users into unknowingly providing access to a system through an email or pop up disguised as a legitimate request. According to a 2018 report by phishing defense company Cofense, terms most often used in email subject line for phishing attacks include “New Message in Mailbox” and “Attached Invoice.”
- Man-in-the-middle Attacks – This is a type of cybersecurity attack where an attacker eavesdrops on communication between two entities. Man-in-the-middle attacks can occur through your SSL, Wi-Fi network, and DNS.
- Malware – A malicious software like a virus, worm or Trojan horse where code is injected into your computer to steal, delete or encrypt information.
Healthcare Data Security Challenges
Annual data breaches have increased by 73% between 2010 and 2017. 34% of healthcare data breaches occur from unauthorized access or disclosure. While seemingly more threatening, malicious breaches occur half as often as breaches due to internal mistakes.
According to the FBI, an increase in healthcare cyber intrusions is likely due to a lack of resilience compared to the financial and retail industries. Health organizations have a lot of information that’s valuable to criminals. They often have a bunch of personal information that can be used for traditional financial fraud, as well as health insurance information that can be sold for even more on black markets.
Most healthcare breaches are motivated by financial gain, with healthcare workers most often using patient data to commit tax or credit fraud.
The unfortunate truth is that the healthcare sector is an easy target for cyber criminals because of its vast ecosystem. There are so many interconnected individuals that have access to medical and billing records – patients, dependents, specialists, physicians, hospitals, billing service providers, health insurers… the list goes on and on. Not to mention medical records are the highest valued credentials on the dark web at $20-$50 per record – that’s at least 90% higher than the value of someone’s credit card information.
According to a recent study by the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG), the top cause of risk to cybersecurity in healthcare include a lack of training, lack of enforcement, and overconfidence.
Tips for Cybersecurity in HealthcareHealthcare data security is by no means "one size fits all." A small, rural practice will invest differently than a large, metropolitan hospital. Based on your business and your needs, you should identify what data is most important to protect, then plan your safety measures accordingly. Perhaps you'll realize that technology isn't what's needed, but people and processes instead.
- Promoting safety standards isn't just IT's job. Appoint a security officer within each department to help promote good practices, you’ll have more eyes and ears dedicated to the cause and spread awareness on a more granular level.
- Use firewall and anti-virus to protect against malicious intrusions. The firewall inspects all messages coming in from the outside and decides whether the message should be allowed in based on pre-determined criteria. Anti-virus stops malicious software that has already surpassed your safety measures and entered the system.
- Passwords are your first line of defense when preventing backs into any server. By ensuring that employees have a strong password, a company can all but eliminate 75-80% of cyber-attacks.
- If a hack or breach does occur, disclose the incident immediately to your security team. Information can often be recovered if authorities are notified soon after a security breach. Recovering data is extremely difficult as more time goes by because of the network of offshore channels this information is relayed through.
Your company may have the most intuitive healthcare cybersecurity software and direct safety processes set in place, but at the end of the day, your safety culture won’t shift until every single employee consciously decides to make the change. It requires leadership and commitment!