No one can argue that healthcare security is now needed more than ever. In 2015, the healthcare sector was targeted by cyber-criminals more than any other industry, despite not even making the top 5 the previous year. According to a report published by IBM, in the first half of 2015, almost 100,000,000 healthcare records were compromised.
And it is safe to say that 2016 isn’t any different: hardly a week goes by without news of sensitive, personal health information being stolen. The reality is that data breaches in healthcare organisations are becoming larger, costlier and more challenging than ever before.
Healthcare records that have recently become digitised (as opposed to the original physical copies) are extremely valuable to hospitals, clinics, small independent practices, pharmaceutical companies and other health organisations, but most disturbingly, hackers!
What factors explain the healthcare industry’s vulnerability to cyber-criminality? The first thing to take into consideration is how exposed to cyber-threats some organisations can be. All facets of IT infrastructure are involved in protecting the organisation from suffering an attack: threats can come from hackers or thieves, but also from employees, consultants, contractors or other business associates putting the organisation in jeopardy. It is also very common in a lot of healthcare organisations to come across a lack of expertise and culture in understanding security, as well as a lack of resources to handle IT security; this is particularly the case for small practices.
Another reason for the healthcare sector vulnerability is the fact that due to the industry itself, a great number of different individuals access a large amount of sensitive records on a daily basis in order to carry out their work. To add to this concern, access control security is weakened by some of these individuals being temporary employees, partner organisations’ visitors, or even new employees – which makes maintaining effective security a real challenge. Furthermore, healthcare organisations also deal with a large diversity of devices: from servers, to desktops, laptops, mobile devices and medical devices, all of them contain sensitive data that are at risk of a data breach. Last, but not least, the healthcare sector is mainly targeted by hackers because it has one of the lowest rate of data encryption.
Due to the very nature of the data healthcare organisations are handling, cyber-criminals are impelled to hit the industry hard: from personal health and payment information to intellectual property, hackers have a good chance of hitting the jackpot when breaking in a healthcare organisation’s security. Healthcare data differs from credit card data in that it has now become easier to respond quickly to credit card fraud: you can cancel your cards or freeze a bank account in just a few clicks, or by making a quick phone call to your bank. Hackers nowadays, tend to focus more on the seemingly unprotected wealth of information that healthcare data hold.
There are two types of data that cyber-criminals target:
- Protected Health Information (PHI) – consists of an individual’s medical records and health information, including, but not limited to: name, birth date, policy numbers, diagnosis codes and billing information. That data is unique to each person, and cannot be changed (unlike credit card data that can be replaced easily).
- Electronic Health Record (HER) –a record containing PHI: besides medical history, it can also include email addresses, Social Security numbers, banking details and employment information.
It is no surprise that health information has a first-rate resale price on the black market. Crooks mainly use this data for identity theft and fraud: by crafting fake IDs, they can buy expensive medical equipment or drugs that are not readily available, and resell them. Criminals also send fake claims to insurers to redirect reimbursement to themselves. Some of this fraud can amount to tens of thousands of dollars. It’s important to note that hackers also use this valuable information to launch incredibly detailed spear-phishing attacks.
Current threat landscape of healthcare organisations:
- Malware: specialised medical devices (such as X-ray equipment and blood gas analysers) are closed systems, which means they can’t be easily scanned for Malware
- Case study: a staff member opened an email and clicked on a malicious link, infecting his hospital’s network with a worm. The IT team cleaned it out but missed the infected devices, enabling the worm to open a back door from where hackers could still access the organisation’s data and extract it.
- Malicious websites
- Ransomware
- Shellshock: an attacker could gain control over a targeted computer by taking advantage of a vulnerability in the GNU Bash shell
- Brute-force attacks: where hackers use an automated and repetitive method of trial and error to crack a user’s log in details
- Older and non-sanctioned applications: hackers can use VBScript to run random code on the systems of hospitals or healthcare organisations still using old versions of Internet Explorer.
- Accidental loss / device theft / employee negligence
- Case study: a physician got his laptop stolen from his home. Even though the data was encrypted, the thief could still access all of the doctor’s patient information, thanks to the password being written down on a sticky note attached to the laptop…
There is a huge need for data security to safeguard the privacy of patients’ and customers’ personal information. After all, protecting private health data is a vital aspect of a healthcare organisations’ business: healthcare organisations face higher client attrition after a data breach than any other industry.
IT security is essential for healthcare organisations, and it is also achievable. Stay tuned next week to learn how these businesses can protect themselves from cyber-criminality!