Healthcare is one of the most scrutinized industries by data security regulators, and for good reason. People have a reasonable expectation that their healthcare information will remain private, but as a whole, the healthcare industry’s record for data security has been less than stellar.
A survey of 91 healthcare organizations by the Ponemon Institute and ID Experts found that 90 percent of healthcare organizations had at least one data breach in the past two years. According to the same study, only 55 percent believe they have sufficient policies and procedures to prevent or quickly detect unauthorized patient data access, loss or theft.
According to Advisen’s Loss Insight database, the number of cyber cases involving healthcare and pharmaceutical companies has remained fairly steady over the previous three years. Some cybersecurity experts predict that this will change in 2015 and beyond, as the industry becomes increasingly vulnerable and attractive to cyber criminals.
The past decade has seen the healthcare industry make significant strides in the broad-based implementation of electronic medical records (EMRs). Many consider this a positive in terms of providing quality and cost-effective care, but it also poses challenges to securing protected health information (PHI). In fact, earlier this year the FBI issued a series of alerts directed toward the healthcare sector warning of increased risk of cyber intrusions, especially when transitioning to electronic medical records.
Experian’s second annual Data Breach Industry Forecast anticipates that in 2015 the healthcare industry will be targeted more often: “The expanding number of access points to PHI and other sensitive data via EMRs and the growing popularity of wearable technology make the healthcare industry a vulnerable and attractive target for cybercriminals.”
On the hacker black markets, PHI “is even more valuable than credit card data,” selling for approximately 10 to 20 times the value of credit card records according to McAfee Labs’ Threats Report.
With these kinds of returns it is not surprising that PHI (“Personal Privacy” on the graph below) continues to be the leading type of data lost by healthcare and pharmaceutical companies in 2014.
The dominant cyber-case type in the healthcare/pharmaceutical industry is “digital data breach, loss or theft,” which makes up about 40 percent of healthcare-related cases tracked by Advisen. This is perhaps not surprising since many in the healthcare industry claim to have insufficient policies and procedures to prevent or quickly detect unauthorized patient-data access, loss or theft.
Many doctors’ offices, hospitals and other healthcare facilities simply do not have the infrastructure in place to prevent increasingly sophisticated cyber criminals from accessing their patients’ PHI.
It is also significant to note that paper records continue to be a source of vulnerability for healthcare organizations. While many hospitals and other healthcare providers have transitioned to electronic records, many others continue to rely on paper records. In one case, a hospital was fined for leaving 71 boxes of medical records unattended on a driveway within 20 feet of a public road and a short distance from a heavily trafficked shopping area.
Cybercriminals appear to be interested in far more than just PHI, however. As reported last week by Advisen’s Chad Hemenway in his article Flies on many walls of Wall Street: FireEye tracks group hacking insider info, “A group looking to gain an edge in stock trading is targeting email accounts for insider information from C-level executives, legal counsel, outside consultants, and others in the know.”
According to cybersecurity firm FireEye, more than 100 firms have been targeted for inside information on mergers-and-acquisitions that could be used to gain an advantage in the stock market. The healthcare industry accounts for a significant portion of the total value of all merger deals and as a result has been highly targeted for this type of information.
Lax security standards, the transition to EMRs, the increased use of mobile devices and Internet-connected medical devices, and the high financial payout for medical records on the black market, all will likely contribute to another challenging year for the healthcare industry.