Tag: healthcare
Like an unimmunized person in a roomful of flu patients, the healthcare sector continues to be at high risk of catching something unpleasant. Cyberattacks and data breaches jeopardize the well-being of healthcare organizations of every size, and too often their exposure is a result of not doing everything they can to immunize themselves against attack. In our 2017 Data Breach Industry Forecast, we predicted the profitability and uneven defenses of the healthcare sector would cause cybercriminals to continue to focus attacks on healthcare organizations. Numbers from the Identity Theft Resource Center indicate our prediction was right; by mid-year, 151 healthcare breaches have compromised more than 1.9 million records, accounting for nearly 22 percent of all 2017 breaches thus far. We also predicted: Ransomware would emerge as a top threat for healthcare organizations. Cybercriminals would expand their range of targets within the sector, causing mega breaches to broaden their focus from insurers to other organizations, including hospital networks. Electronic health records and mobile applications would increasingly be targeted. The year so far In mid-May the WannaCry ransomware cyberattack became the largest ever, affecting computer systems in more than 150 countries. Ransomware uses malicious code to infect systems, seize control and shut down user access until the affected organization or individual pays a ransom to unlock their systems. Britain’s National Health Service (NHS) was one of the largest victims of WannaCry, which infected medical devices as well as administrative PCs. The impact was widespread, affecting critical operations and causing hospitals to reject patients, doctor’s offices to shut down and emergency rooms to divert patients. Like a patient with a compromised immune system who ignores his doctor’s advice to get an annual flu shot, the NHS allegedly disregarded multiple security warnings to update and protect its systems. Cybercriminals have also expanded their targets for mega breaches beyond insurers. So far in 2017, the largest known healthcare breach in terms of number of compromised records occurred at a urology practice in Austin, Texas. ITRC statistics show nearly 280,000 records were compromised through the breach of the practice, which has eight locations in the greater Austin area. According to the practice’s official data breach notice, a ransomware attack encrypted data stored on the organization’s servers. Electronic health records were the target of cyberattacks at numerous healthcare organizations, including a fertility and menopause clinic in New Jersey, where more than 17,000 records were compromised, ITRC reports. The number, scope and impact of healthcare cyberattacks will only grow. The industry that focuses on taking care of Americans’ physical and mental health should proactively take steps to safeguard its own health by updating security measures and data breach response plans. Learn more about our Data Breach solutions
Late last year, our Third Annual Data Breach Industry Forecast predicted cybercriminals would continue to focus their attacks on healthcare institutions, inspired by the knowledge that the black market value of medical records continues to surpass the value of credit card numbers. Industry experts we interviewed also predicted employee missteps would be a source of healthcare breaches. Entering the final quarter of 2016, our prediction is playing out in the numbers; nearly half of all consumers affected by a data breach so far this year had their personal information exposed through a healthcare-related incident, according to information compiled by the Identity Theft Resource Center. In the first three quarters of the year, 256 medical and healthcare data breaches exposed more than 13.5 million records, the highest number of any sector the ITRC tracks. Records compromised in a healthcare breach accounted for 47.2 percent of all affected records in 2016. The healthcare sector has been a hotbed of attacks throughout the year, largely due to the continued value of medical records sold on the dark web. These records can be used for far more than just filing fraudulent medical claims. One lucrative use is filing fraudulent tax returns. CNBC reported the IRS expects, and has been bracing for, an increase in tax fraud linked to the high number of medical breaches this year. It’s easy to understand why medical records can be so profitable for hackers. While financial accounts such as credit cards may contain a limited amount of personal information, medical records are much more comprehensive. Typically, they contain a wealth of information far beyond mere account numbers. In addition to names, addresses and birth dates, medical records often contain Social Security numbers, which healthcare providers may use as patient identifiers. The employee factor Many of the mega-breaches of 2015 occurred through digital routes that the average consumer would find downright arcane. In 2016, we’ve seen an increase in smaller attacks with mundane origins such as stolen hardware, poorly secured employee email accounts or phishing attacks. Consider these examples reported in the HIPAA Journal: Four staff email accounts were compromised in a phishing attack on employees at City of Hope Hospital in California. To put it more bluntly, four hospital employees fell for scam emails and the result was, as ITRC reports, the exposure of more than 1,000 patient records. More than 200,000 patients of Premier Healthcare in Bloomington, Indiana, received notification letters after a password-protected but unencrypted laptop was stolen from the hospital’s billing department. A St. Louis, Missouri, not-for-profit healthcare system, BJC Healthcare, had to notify more than 2,300 patients their information was exposed after an employee mistakenly sent an email containing protected information to another medical organization. For healthcare institutions, the takeaway from 2016 should be the need to remain vigilant and proactive regarding the many ways in which data breaches can occur. While 2015 was the year of healthcare mega-breaches, 2016 has seen the emergence of smaller breaches that still have the potential to cause significant harm to organizations and patients. Learn more about our Data Breach solutions
While technology undoubtedly has made accessing medical information much easier and faster, it also has also provided an increased potential for medical data breaches especially as health personnel begin to use unsecure mobile devices for personal and work use. With an increase in health care employees using their own tablets and smartphones in the workplace, many healthcare companies are considering adopting a Bring Your Own Device (BYOD) policy. However, many companies have failed to implement mobile data breach protection, breaking the HIPAA Security Rule which requires healthcare companies to perform a risk analysis of the processes by which they protect the confidentiality of electronic patient health information maintained by their organization. Companies are required to use the information gathered from the analysis to take measures to ensure the confidentiality of patient data and to reduce risks to a reasonable level. If companies don’t comply and there is a data security breach, they can be heavily fined by the U.S. Department of Health & Human Services. Just recently, a teaching hospital and medical practice associated with a large university was fined $1.5 million in a data breach of patient information when a laptop computer containing unencrypted data on 3,621 patients and research subjects was stolen. Hospital and practice officials were found guilty of violating the HIPAA Security Rule by not implementing data protection and security on their mobile devices. The loss of laptops, portable storage gadgets like thumb drives and cell phones have already cost insurance companies, drugstores, medical practices and even a government health and social services department, millions of dollars in fines. Unfortunately, this troubling trend doesn’t just affect the medical industry. In August 2012, Coalfire (a firm that provides IT audit and risk assessment) surveyed 400 individuals across North America covering a variety of industries about their company’s mobile device security practices. The data revealed that many organizations lack policies addressing mobile cyber security threats. Download our Free Data Breach Response Guide Key statistics from the survey: 84 percent use the same smartphone for personal and work usage. 47 percent don’t have a password on their mobile phone. 51 percent said their companies cannot remotely wipe data from mobile devices if they are lost or stolen. 49 percent said their IT departments have not discussed mobile/cyber security with them. Clearly, companies are not doing enough to protect themselves and their employees from the expensive cost of a data breach. As mobile devices become popular and less expensive, workers will naturally want to use them for their jobs. Therefore, it is prudent for companies to adopt business data breach protection and security policies to protect not only their company data but also their pocketbook.