The healthcare industry is going through a digital revolution. Hospitals pay more attention to technology than ever before. Both patients and professionals realize the benefits of telemedicine, mHealth, wearables, and smart devices and systems. Patient electronic medical records are entered online, letting patients access their own health data from home, helping doctors collaborate with each other remotely, and giving medical researchers access to millions of healthcare records.
But this transformation comes at the cost of security. Digital patient records have become a prime target for hackers due to the huge amount of sensitive information they contain. According to the newly released Study on Privacy and Security of Healthcare Data by the Ponemon Institute, nearly 90% of healthcare organizations experienced at least one data breach in the past two years, and 45% of them had more than five.
The increasingly frequent data breaches are estimated to be costing the healthcare industry $6.2 billion annually. At the same time, IT security expenditures for the healthcare sector are about one-tenth of what other industries spend. This year, information security has become a key concern for the majority of healthcare IT leaders. No healthcare organization is immune, and according to security researchers, the number of cyber-attacks in healthcare is expected to increase.
The Most Attacked Industry
In 2015, healthcare moved into the top spot of the rankings as the most frequently attacked industry, replacing financial services and speeding past manufacturing, government, and transportation, according to the latest research by IBM. Five of the eight largest healthcare security breaches since 2010—those with over one million records reportedly compromised—took place during the first six months of 2015. In fact, more than 100 million health records were compromised last year.
Source: The IBM X-Force 2016 Cyber Security Intelligence Index
Electronic medical records typically contain credit card data, email addresses, social security numbers, employment information, medical history records, and other personal details. Stolen data usually does not float for a while after the breach, but then it appears on the black market in a variety of forms. Complete sets of personal data are comparatively cheap. Sets of specific identifiers—such as IDs, for example—are sold at a much higher price.
Interestingly, health information is 50 times more valuable on the black market than financial information. Unlike credit card breaches, which are often resolved quickly with the issuance of a new card, medical data breaches are not a one-time event. Stolen patient data remains valid for years, if not decades, and can be used repeatedly. Cyber thieves use it for a large number of fraudulent pursuits, from medical identity and bank account theft to illegal immigration and further cyber-attacks. There is also a high potential for tax and medical insurance fraud, since many health records use social security numbers.
In 2016, ransomware, malware, and denial-of-service (DOS) attacks are the top cyber threats facing healthcare organizations, the Ponemon Institute reports. Employee negligence, mobile device insecurity, use of public cloud services, mobile apps (eHealth), and employee-owned mobile devices (BYOD) are also seen as significant threats to confidential information. In the coming year, experts expect a fresh wave of ransomware, smarter malware and viruses, IoT hacks, and attacks on wearable devices.
The Key Steps to Health Data Security
Data security is critical to the healthcare sector. Healthcare data breaches undermine the effectiveness of care, resulting in huge fines, expensive litigations, and immense reputational damage. To achieve data security in healthcare, it is vital to develop a cohesive, coordinated data protection strategy and meet all contemporary regulatory requirements, such as, for instance, HIPAA.
The HIPAA (Health Insurance Portability and Accountability Act) is a piece of US legislation that provides data privacy and security provisions for safeguarding medical information. Organizations that deal with protected health information must follow physical, network, and process security measures to ensure HIPAA compliance. HIPAA violations can be rather costly for healthcare organizations, with an annual maximum penalty fee of $1.5 million, but the loss of consumers’ confidence in provided services can be even more damaging.
Nevertheless, nearly 60% of HIPAA violations reported over the past several years could have been avoided with a successful security strategy. Security experts recommend creating a data classification policy, using encryption for data integrity, applying appropriate network security, and having a disaster recovery/business continuity plan in place. Among the main technological countermeasures, there are encrypted enterprise platforms, biometric authentication technologies, and device-management systems to trace suspicious activity.
Implementation of a series of technological countermeasures is not enough, however. It is also necessary to pay special attention to comprehensive cyber security awareness. At the University of Maryland Medical Center, for example, the breach prevention program includes annual employee training, monthly security council meetings with the cyber team, compliance officers, auditors, and physicians, as well as regular consultations with cyber experts.
Thus, the right combination of technologies and training may lead healthcare organizations to a safer path in the era of cyber-attacks.