Prescription for trouble: healthcare industry faces rising risk, rising losses

By Erin Ayers on May 14, 2015

stethoscopelaptop200x2002As personal health information (PHI) reaches a new level of popularity among cybercriminals, the healthcare industry finds itself at a challenging crossroads – how to deflect cyber attacks while following regulatory standards and keeping information accessible for medical professionals and patients.

Several recent studies, as well as Advisen data, illustrate the problems faced by healthcare entities. Medical identity theft skyrocketed over the last few years, with a McAfee Labs report estimating that a single health credential can sell for 10 to 20 times as much as a credit card number on the darknet. Medical ID theft can be both harder to detect and prevent, costing consumers thousands of dollars to resolve.

With these factors, it’s no surprise that a 2014 report from BitSight questioned whether healthcare could become “the next retail.” With only 52 percent of all healthcare organizations earning an “A” grade in cybersecurity, the sector ranked as the second-lowest performing, beating only educational institutions.

“Unlike the financial institutions and electric utilities in the S&P 500, the healthcare and pharmaceutical companies do not view cyber security as a strategic business issue. They do not spend enough resources to protect their data, in part because cyber security has not received the executive level attention it deserves,” stated BitSight. “In general, this sector tends to spend only the resources required to be compliant with regulations such as HIPAA, and compliance does not equate to security. More prescriptive controls and better enforcement of HIPAA would certainly help improve security in the healthcare sector, along with a greater emphasis on security throughout these businesses.”

High Cost

The price tag of cyber risk for healthcare has risen. A new study from the Ponemon Institute pegged the annual loss to the healthcare industry at $6 billion and data breaches dramatically affecting these organizations.

“More than 90 percent of healthcare organizations represented in this study had a data breach, and 40 percent had more than five data breaches over the past two years,” stated Ponemon in its study. “According to the findings of this research, the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million. No healthcare organization, regardless of size, is immune from data breach. The average cost of a data breach to BAs represented in this research is more than $1 million. Despite this, half of all organizations have little or no confidence in their ability to detect all patient data loss or theft.”

Turning to the cause of loss, Ponemon’s study found that insider error was not the main culprit.

“For the first time, criminal attacks are the number one cause of data breaches in healthcare,” the firm noted. “Criminal attacks on healthcare organizations are up 125 percent compared to five years ago. In fact, 45 percent of healthcare organizations say the root cause of the data breach was a criminal attack and 12 percent say it was due to a malicious insider. In the case of [medical business associates], 39 percent say a criminal attacker caused the breach and 10 percent say it was due to a malicious insider.”

That said, a majority (70 percent) of survey respondents said they were more concerned about the risk presented by employee negligence and lost or stolen mobile devices. Only 19 percent said identity thieves presented a concern. Coupled with the information that few healthcare organizations, when breached, offer protective services to customers, this may highlight a disconnect between what the industry believes to be important and what consumers value.

“Despite the risks to patients who have had their records lost or stolen, 65 percent of respondents do not offer protection services. Only 19 percent offer credit monitoring and 10 percent offer other identity monitoring,” Ponemon revealed.

Connected Crime

McAfee, in its report, commented on an added level of risk for healthcare: Internet of Things-connected devices. “One type of threat is particularly alarming: With the increasing proliferation of healthcare IoT devices and their use in hospitals, the threat of the loss of information contained on those devices becomes increasingly likely,” said the firm. Connected devices represent not only a source of data of interest to thieves, but the potential for criminal mischief for hacktivists or cyber-terrorists.

Well over a year ago, the FBI warned of the risk to the healthcare sector, commenting in an alert, “Cyber actors will likely increase cyber intrusions against health care systems—to include medical devices—due to mandatory transition from paper to electronic health records (EHR), lax cybersecurity standards, and a higher financial payout for medical records in the black market.” The alarm has been sounded, and it remains to be seen whether the industry improves its security standings.

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].