“Healthcare records contain some of the most detailed personal information available, and healthcare organizations are not doing enough to protect this information.”
These blunt words sum up a recent report on the “cyberhealth of the healthcare industry” published by security risk company SecurityScorecard. They rank healthcare 15th of the 18 major US industries surveyed in terms of their cybersecurity health, below industries like Food, Financial Services, Legal, Retail, and Non-Profit. The healthcare industry dropped six places in the rankings since the last report in 2016.
Two factors are at play in this negative rating. First, healthcare information is attractive to malicious actors. Second, the industry has not kept up with the changing cybersecurity landscape.
“An Appealing Target”
SecurityScorecard’s report notes:
“Electronic protected health information (ePHI) data remains an appealing target because it often contains social security, financial, health insurance, driver’s license data, as well as immutable types of information that can be used to steal identities and commit fraud. In addition, hackers are exploiting configuration issues and other lapses in security best practices to destroy healthcare records or hold them for ransom.”
Malicious actors can sell stolen health records on the black market for an average price of $50 per individual, according to Pam Dixon, founder and executive director of World Privacy Forum. That means that stealing even a modestly-sized EHR from a smaller medical practice of 5,000 patients would be a $250,000 payoff for a cyber-criminal.
“More Than One Breach Per Day”
Additionally, cyber-attacks on healthcare providers increased from 2016 to 2017 and are expected to increase again in 2018. In 2017, there were 477 reported healthcare breaches, compared with 450 breaches in 2016. “In either year, this represents an average of more than one health data breach per day,” notes cybersecurity software company Protenus in their recent Protenus Breach Barometer Annual Report. Of those, 178 of the 2017 breaches came from hacking incidents, including ransomware and malware, which is 58 more than in 2016.
One thing that is clear is that healthcare organizations of all sizes are at risk of cybersecurity incidents, attacks, and breaches. At Eagle Consulting Partners, we have worked with a small medical practice that lost its entire electronic records database due to ransomware, and most recently a number of our clients were affected when Allscripts, the largest physician practice EHR vendor, was attacked by ransomware this January.
The second half of the healthcare industry’s cybersecurity challenges is that healthcare organizations are not doing enough to keep up with today’s cybersecurity challenges and risks. We will continue this topic in Part II.
At Eagle Consulting Partners, we provide information security consulting, risk analysis and management, HIPAA and computer security training, and policy development solutions for healthcare and healthcare-related organizations. Contact us if you have any HIPAA or cybersecurity needs, or if you’re just not sure where to start.