Why Does Healthcare Get Hacked?

12 May, 2017

OCR-logo.jpgAccording to a website maintained by the Department of Health & Human Services Office for Civil Rights, over 100 healthcare providers have suffered security breaches in 2017, and it’s only May. The breaches represent 1,708,000 affected individuals and are attributed to hacking, theft and unauthorized access of network servers, emails, laptops, desktop computers and other sources of digital records. This compares to 98 providers reporting breaches during the same time period in 2016 and affecting 3,712,000 individuals. That number is high due to a single breach of Florida’s 21st Century Oncology, which affected 2,213,597 individuals.

WHY IS HEALTHCARE SUCH A BIG TARGET FOR HACKERS?

According to a study conducted by the Ponemon Institute in 2016, looking at both covered entities[1] and business associates[2], healthcare organizations believe they are more vulnerable than other industries to a data breach. Fifty-one percent of healthcare organizations attribute this to a lack of vigilance in ensuring their partners and other third parties protect patient information. Forty-four percent attribute it to a lack of skilled IT security practitioners.

It’s an industry-wide problem affecting a wide swath of healthcare organizations. In fact, almost no one seems to be immune. In the Ponemon study, 89 percent of healthcare organizations reported that they have had at least one data breach involving the loss or theft of patient data in the past 24 months, and 45 percent reported more than five breaches.

DATA BREACHES IN THE LAST 24 MONTHS

data_breaches_24months.png

When healthcare organizations were asked what type of security incident worries them most, 69 percent of respondents cited employee negligence or carelessness. Forty-five percent of respondents cited cyber attackers and 30 percent said it was the use of insecure mobile devices.

SECURITY THREATS HEALTHCARE ORGANIZATIONS WORRY ABOUT MOST

breach_sources.png

Despite the prevalence of data breaches in the healthcare sector, assessing vulnerabilities is rare and often random.

HOW OFTEN DO YOU ASSESS VULNERABILITIES?

assessment.png

Furthermore, in the wake of a security breach, security practices often remain unchanged. When asked how recent security breaches have affected security practices, almost half of organizations responded that no changes had been made.

HOW HAVE SECURITY BREACHES AFFECTED YOUR SECURITY PRACTICES?

security_practices.png

And, although healthcare organizations recognize the need for putting incident response processes in place, they’re not exactly putting their money where their mouth is. Of the healthcare organizations that have an incident response plan and the necessary expertise to carry it out, the majority (56 percent) say more funding and resources are needed to make it effective. Seventy-seven percent of organizations allocate 20% or less of their security budget to incident response. And, those budgets aren’t budging. Ten percent of healthcare organizations report that budgets have decreased, while 52 percent say budgets have stayed the same.

Albert Einstein is famously credited with defining insanity as doing the same thing over and over again and expecting different results. Is that what the healthcare industry is doing with regards to data security? They certainly understand that it’s a problem with harmful effects. But is enough being done to address a solution? The Ponemon study would suggest otherwise.

darkweb.jpgAn estimate of one out of every three Americans have had their healthcare records compromised and most have no knowlede of the compromise. Many of these records wind up for sale on the “dark web” where hackers openly advertise themselves and what they’ve stolen. And, unlike a credit card number, which will sell for one to three dollars, a medical record is a gold mine of information and will sell for as much as 500 dollars. That’s because criminals can use such records to order prescriptions, pay for treatments and surgery and even file false tax returns. And, unlike credit cards that can be quickly canceled, medical records live forever.

To find out why ShareVault is the industry leader in securing confidential documents for life sciences, click here.

[1] Covered entities (CE) are defined in the HIPAA rules as health plans, health care clearinghouses and healthcare providers who electronically transmit health information.

[2] A business associate (BA) is a person or entity that performs services for a covered entity that involves the use or disclosure of protected health information (PHI).