Healthcare-related security breaches are on the rise, but why should we care?
When a data breach occurs at a private company, the loss of personally identifiable information (PII) can be inconvenient to consumers, reputation-battering for the organization, and may lead to identity theft and further account compromise.
If a security incident takes place at a healthcare service, including hospitals and medical centers, the ramifications can be serious, given the sensitive nature of the data they store.
According to Black Book Market Research, 96% of IT professionals believe cyber-attackers are outpacing the security capabilities of medical organizations.
And although one in 10 healthcare patients are said to have been impacted by medical breaches over the past five years, just 21% of hospitals reported they have a dedicated cybersecurity executive, and only 6% said they have hired a chief information security officer (CISO).
Healthcare data breaches are now a frequent fixture in press headlines around the world. And after taking a closer look at the latest medical security incidents, it’s clear to see why this is a growing concern.
The latest healthcare data breaches – in focus
Over 93% of healthcare organizations have experienced a data breach of some kind over the past five years, according to Black Book research,
More than 50% of healthcare organizations have suffered at least five incidents over the same timeframe, the research states.
Here’s a rundown of some of the latest and most serious healthcare data breaches in 2019 and 2020:
- PIH Health (announced February 2020) – The personally identifiable information of nearly 200,000 current and former patients of this California healthcare network may have been compromised following a phishing campaign that successfully targeted employee accounts.
- CNNH (announced January 2020) – The Center for Neurological and Neurodevelopmental Health reported that it had detected suspicious activity on an employee’s email account. The number of potentially impacted patients was not disclosed
- Alomere Health (announced January 2020) – The Minnesotan hospital operator informed around 50,000 patients that their healthcare records may have been exposed following unauthorized access to two employees’ email accounts.
- Kalispell Regional Healthcare (announced October 2019) – An email-related data breach may have compromised 130,000 PHI patient records.
- Women’s Care Florida (announced October 2019) – The records of approximately 528,000 patients were impacted this year due to unauthorized access that remained undetected for months.
- Methodist Hospitals (announced October 2019) – The PHI of more than 68,000 US healthcare patients may have been exposed as the result of a phishing attack against this Indiana healthcare provider.
- Sarrell Dental (announced October 2019) – More than 390,000 patients were impacted by ransomware and systems intrusion. The organization spent two weeks rebuilding its network after the data breach was discovered.
- Premier Family Medical (announced September 2019) – PFM, a US healthcare provider with 10 facilities across Utah, alerted 320,000 patients to a ransomware incident that left the organization unable to access data from its systems.
- Dominion National (announced July 2019) – The organization reported a data breach that may have started as far back as 2010. Unauthorized access to servers has led to the potential exposure of PHI belonging to nearly three million patients.
- American Medical Collection Agency (announced May 2019) – A data breach at healthcare billing provider AMCA between August 2018 and March 2019 impacted Quest Diagnostics and LabCorp, as well as numerous smaller organizations, leading to the exposure of data belonging to over 20 million consumers. Unauthorized access to a database was to blame.
- Inmediata Health Group (announced April 2019) – At least 1.5 million individuals potentially had their PHI exposed in 2019 due to a misconfigured website.
- Columbia Surgical (announced March 2019) – It is believed that a ransomware attack is to blame for the compromise of 400,000 patient records.
- UW Medicine (announced February 2019) – The University of Washington Medicine website contained a vulnerable component that allowed information belonging to roughly 974,000 individuals to be exposed online.
- UConn Health (announced February 2019) – While occurring in August 2018, UConn only began notifying 326,000 patients of the potential exposure of their PHI in February 2019. Employee accounts containing patient records were accessed without authorization.
How do healthcare breaches occur?
- Malware, including trojans, able to steal employee credentials and infiltrate networks
- Insider threats
- Supply chain compromise, including breaches at third-party companies that store patient records
- Lost devices, including smartphones and laptops
- Poor patching procedures for software used by medical organizations
- Lack of staff training, human error
It only takes one weak endpoint to risk an entire network. Speaking to The Daily Swig, Matt Aldridge, senior solutions architect at Webroot, said that “many hospitals haven’t fully grasped that their IT systems are mission-critical”.
“They need to take far more robust precautions to guarantee the availability of their systems,” Aldridge says. “Cybercriminals will continue to exploit security vulnerabilities in the healthcare industry, as there is a better chance of financial reward and return on their time investment.
“Whether the intent is to access patient data or collect a ransom, as long as these organizations remain easy targets, they’ll continue to be targeted.”
What is the cost of a healthcare data breach?
According to IBM’s annual Cost of a Data Breach study, an average data breach can cost up to $3.9 million. For the ninth year in a row, however, healthcare organizations incur the highest cost of a data breach of close to $6.5 million.
The risks can be higher for smaller organizations. According to Webroot research on healthcare SMBs:
- 73% of IT leaders say that employees inadvertently create security risks through lack of knowledge
- 66% say profits would take a hit as a result of cybersecurity incidents
- 60% agree that if their organization suffered a data breach, their business would be at risk of closure
It only takes one weak endpoint for a healthcare data breach to take place
What do cybercriminals want from your healthcare data?
If a cyber-attacker infiltrates healthcare-related systems, they may be able to compromise and steal Protected Health Information (PHI), including patient names, addresses, telephone numbers, medical conditions, treatments, pharmaceutical information, and insurance records.
Carbon Black estimates that PHI can sell for up to six times as much as standard PII. IBM claims that this is up to $408 per record, whereas Black Book estimates that these records can go for as much as $423.
Unlike credit card information, PHI cannot be changed, which may account for the increase in value.
For between $10 and $120, criminals can purchase stolen healthcare cards, and it may be possible to use stolen insurance information to seek treatment fraudulently.
What is the impact of a healthcare data breach?
Healthcare organizations can face severe financial penalties when a data breach occurs. In the US, the industry is accountable to the Health Insurance Portability and Accountability Act 1996 (HIPAA) and Health Information Technology for Economic and Clinical Act 2013 (HITECH).
Penalties were recently adjusted to between $117 and $58,490 per violation, with an annual maximum charge of $1,754,698, depending on an organization’s level of culpability.
IBM’s 2018 Cost of a Data Breach report suggests that the average time to identify and contain a data breach occurring at a US medical organization was approximately one year and notification costs alone after the event reached $740,000.
In 2018, the US Department of Health and Human Services (HHS) reported a record year in healthcare breach enforcement, with organizations handing over $28 million in settlements.
Disruption to core services, data loss, ransomware demands and the costs associated with computer forensics and repairing systems are also a risk.
Healthcare data breaches can cost organizations millions of dollars in HIPAA fines and settlements
How should healthcare organizations manage the risk of data breaches?
There are numerous ways for healthcare organizations to improve their data breach defenses and overall security posture:
- Adopt a risk-based approach: Layers of defense are required from endpoints to the management of databases and devices allowed to connect to internal networks. By being aware of weak spots, providers can focus on shoring up the areas most susceptible to attacks.
- Hire security and compliance officers: Cyber insurance and damage control are not enough. In the same way as enterprise firms, healthcare providers must now have a team and leaders in place to protect their networks and avoid regulatory penalties due to oversight.
- Proactive, not reactive: If a data breach occurs, incident response is critical, but proactive maintaining adequate security hygiene can prevent breaches from occurring in the first place.
- Frequent patching processes: Such as in the case of the Anthem data breach, failing to recognize vulnerabilities able to be used against an organization -- or leaving it too late to resolve them – can be disastrous.
- Communication: Attempting to cover up a data breach or failing to treat impacted patients in an empathic manner can result in long-term damage to reputation. If mistakes are made, owning up to them transparently way can go a long way toward healing a breach of trust.
Arguably the most critical area to tackle, however, given the coming and going of patients and staff, is that of connected devices and equipment which can become conduits for attacks and a massive attack surface ripe for exploit.
”Prior to diagnosis, patients are taken to treatment rooms and left alone for a period,” Tim Mackey, principal security strategist at Synopsys, told The Daily Swig. “Any computing devices present in a treatment room may pose an entry point onto the facilities’ private network and may also allow an opportunity to implant a device for future data collection.
“With physical access to an unattended computer, laptop or diagnostic device, an attack profile for that device could be created targeting the health system itself.”
“Where other industries should be more focused on external threat actors, healthcare’s challenges are more internal,” Tim Erlin, vice president at Tripwire, added.
“Healthcare organizations need to address the people and processes involved in the exchange of sensitive data, not just the technology.”