Cyber criminals have stolen credit card information for years. Now, they are turning their eyes to something more lucrative: your patients’ health data. More than 170 million patient health records have been breached since 2009, according to Redspin’s 2016 Breach Report, and that number keeps growing.
Health executives rank cyber security – protecting the privacy and security of consumer information – as one of their top challenges for 2018, according to Healthcare Executive Group’s Top 10 survey. This shouldn’t come as a surprise as major ransomware attacks on hospitals and healthcare centers continue making headlines, revealing cyber criminals’ growing appetite for patient health records.
Hollywood Presbyterian Medical Center, for example, paid a $17,000 ransom in bitcoin to a hacker who took control of the hospital’s computer systems. This year, the ‘Wanna Decryptor’ malware alone affected more than 20 British hospitals and companies, as well as 45 public health organizations across the United Kingdom. Some of these medical centers were forced to revert to traditional pen and paper methods for record-keeping and other tasks, a move exposing them to tremendous patient safety and financial risks that are nearly impossible to quantify.
Medical records contain multiple pieces of private information, from social security numbers to prescriptions, making them extremely valuable to cyber criminals. Once stolen, criminals sell sensitive personal health information to other criminals pursuing identity theft, health insurance fraud, drug trades and other illegal activities.
The main value driver of health information is its longevity, according to Intel Security McAfee Labs “Health Warning” report, which examines the business of cyber crime and the marketplace for stolen health data. Financial information may be easier for cybercriminals to monetize, but credit card numbers, ATM PINs, etc., are also easier for victims to change, which means they have a short shelf life. Stolen financial data has to be sold quickly before its value is lost.
Health information, on the other hand, contains personal identifiers such as names, addresses, Social Security numbers and medical histories, which can be more challenging for cybercriminals to quickly turn into profit. However, that data doesn’t expire, so there is more time to sell it and more time to use it to create fake identities that can be sold to the highest bidder.
With the proliferation of personalized healthcare technologies like smart watches and other types of wearable systems, cyber criminals have more opportunities to steal data than ever before. As a healthcare organization, how are you protecting your patients’ information and business from these attacks?
There are several reasons why healthcare organizations are especially vulnerable to cyber attacks and data breaches. Let’s look at three of the most common:
- Disparate and legacy IT systems
- Insufficient internal controls
- Lack of cyber security awareness training
Many hospitals, health systems and physician practices are not only running multiple IT systems with sensitive data (including an EHR, practice management software, etc.), they are also running outdated, legacy systems. In addition, they may not have implemented the proper security features, including firewalls and other technical controls, reliable backups and redundancies, and two-factor authentication.
One of the key components of an internal controls program related to cyber security is restricting access to sensitive data, including protected health information (PHI). A receptionist does not need – and should not have – the same level of access to data as a physician does. Healthcare organizations that don’t properly segment and restrict user access are opening themselves up to risk.
Healthcare organizations can reduce their risk of cyber attacks by implementing penetration testing, where professional hackers create simulated hacks to assess how well your system defends itself against an attack. In addition to identifying vulnerabilities, penetration testing reveals what types of information might be compromised if an attack occurs.
As the value of health data increases, the business of cyber crime becomes more sophisticated, and regulators increase enforcement, healthcare organizations need to become more vigilant in protecting their business and patient data. Proper controls, technology upgrades and employee training can help organizations to guard against threats, identify vulnerabilities and mitigate risk. To learn more about protecting your healthcare organization from cyber threats, contact a firm with expertise in information security and experience serving healthcare clients.
Kevin N. Fine, MHA, MSM, is a director of healthcare advisory services in the Miami office of Kaufman Rossin, one of the Top 50 CPA and advisory firms in the U.S. He can be reached at firstname.lastname@example.org.