May 12, 2016

Healthcare Data Breach: Why Hospitals Are Still Getting Hacked

Have you noticed that hospital data security seems to be popping up in the news more often, with hospitals having been targeted by information thieves?

It’s often with ransomware, a virus that encrypts computer files so hackers can demand a ransom to unlock them.

The 2015 Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by Ponemon showed that criminal attacks of all kinds have increased 125% since 2010 and are now the leading cause of data breaches in healthcare. Over the past two years, 91% of healthcare organizations had one data breach while 40% had more than five.

Why is the healthcare sector being targeted?

  • Digitization: The Health Information Technology for Economic and Clinical Health (HITECH) Act has been encouraging hospitals to adopt electronic health records since 2009 – and it’s working. The proportion of American hospitals with an electronic health record has grown from 9% in 2008 to 76% in 2014, according to a recent Harvard Business Review article. But while digitization improves delivery of healthcare services, it also increases the risk of data theft.  Solution: To reduce the risk of a hospital data breach, appoint an information security team, create security policies and procedures, and implement cyber security best practices.
  • Technology landscape: Many hospitals have dated safeguarding technology. In a 2014 analysis of malicious traffic by the SANS Institute, the networks and internet-connected devices of hospitals and other healthcare organizations were being compromised at an “alarming” frequency.  Solution: Utilize the most up-to-date safeguarding technology, apply layered security protocols, and have a data breach response plan in place.
  • Human error: In a recent cyber attack at Methodist Hospital in Kentucky, ransomware got by the hospital’s email spam filter and an employee opened the email, which spread the virus to the network. Phishing attacks like this trick the receiver with legitimate looking emails.  Solutions: Improve health data security by providing on-going security awareness and training. Teach employees how to recognize suspicious activity, and how to protect their own personal information on social media.
  • Critical services: Because of the critical nature of healthcare services, hackers count on hospitals paying a ransom quickly when ransomware suspends computer-related operations. Solutions: Back up files regularly so that if malware freezes networks, there is a choice to pay or use the back-up files.
  • Consumer health apps: As health-related apps (and Internet of Things devices) become connected, data can be stolen, and there are safety issues too. Also, some of these devices can come into the hospital’s network.  Solutions: Keep devices updated, behind firewalls, and on networks separated from key medical and personal data. 
  • Value: “Electronic health records are 100 times more valuable than stolen credit cards,” said James Scott of the Institute for Critical Infrastructure Technology in an online Newshour story. A single Medicare electronic health record can get $500 on Darkweb forums, said Scott.  Solutions: Be sure the hospital is in compliance with the Health Insurance Portability and Accountability Act (HIPAA), which protects personal information collected by healthcare organizations. When digitized information is no longer needed, secure destruction of hard drives and other devices is critical.

To protect sensitive information on paper, your information security partner should also provide best-in-class document shredding – and secure recycling.