Why Healthcare Data is a Common Target for Hackers
Healthcare and hospital organizations experience a significant measure of the targeted data breach attempts from the hacking community. Healthcare is often seen as an easy target and the reward for the hacker is often a treasure-trove of confidential information which can be easily sold or exploited on the black market.
There is evidence to suggest that healthcare organizations are targeted twice as often as all other industries, and according to an analysis by security software firm Fortinet, the average rate of intrusion attacks per day for healthcare companies is circa 32000, but for non-healthcare organizations, this figure drops significantly to around 14,300.
Given this study, which is derived through healthcare threat telemetry data, it is unsurprising that the total number of healthcare records breached between 2009 and 2017 is an eye-popping 176.7 million.
Why hospitals are the most commonly breached and tend to have the most exposure
Electronic patient data contains a compelling amount of personal data which has significant potential to be used maliciously. Often highly sensitive and strictly confidential records are kept about a patient’s welfare and treatment program.
This will often include confidential proprietary information, employee records, and personally identifiable customer details. If this information was to leak, it could result in significant risk to a person’s finances and ongoing credibility.
To protect patients and greatly reduce the risk to patients, organizations that handle electronic protected health information (ePHI) must be compliant with the Health Insurance Portability and Accountability Act (HIPAA) as well as other key healthcare regulations. Beyond the potential for significant fines, there is also an additional potential for lost credibility and liability costs to a healthcare organization due to the damaging exposure that follows HIPAA violations.
Why certain kinds of hospitals are at greater risk
There have been several studies conducted on what healthcare facilities are targeted by hackers. The data suggest that hospitals appear to be more commonly targeted than any other covered healthcare entities and that there are concerns with physical and digital data compliance. Physical items such as paper records, microfiche or film thefts are more common than data breaches, however, it can be argued that data breaches typically compromise a higher volume of patients data and can have a more significant impact on the patient and the healthcare organization.
One such key study that can be evidenced is the American Journal of Managed Care (AJMC). In February 2018, the research team concatenated multiple data sets, comparing data breach information from the Office for Civil Rights (OCR) with characteristics of hospitals types from the American Hospital Association (AHA) databases.
The analysis looked at all large data security events that occurred from 2009 until 2016, an incredible 30% of high-volume attacks targeted healthcare organizations.
- 215 healthcare organizations reported data breaches. This number is of total breaches impacting 500 (or more) patients.
- 185 breaches that took place at non-federal acute care hospitals
- 30 hospitals experienced more than one breach over the research period
- 1 hospital experiencing four major breaches
- 5 hospitals reported three major breaches
- 24 hospitals suffering two major breaches
The 500-patients cut off is key as that is the arbitrary line that Health and Human Services (HHS) sets for distinguishing between breaches that must be reported immediately and smaller breaches that can be reported annually.
How can hospitals limit the risk of data breaches
The threat to healthcare data continues to be extremely high, despite the widespread use of security technologies and operational protocols, this is in addition to the focus placed on data protection by compliance mechanisms (particularly HIPAA/HITECH).
The American Journal of Managed Care (AJMC) also noted that the amount of risk experienced by different hospitals is based on factors such as market concentration, hospital governance, region of the facility, local attributes, health system membership, type of hospital, and bed size.
By looking at these and other characteristics, the researchers have determined correlations to reveal the commonalities between breached organizations. The key findings are:
- Private hospitals were less likely to experience data breaches than hospitals which are run for non-profit or by government agencies
- 6% of pediatric hospitals reported a data breach
- 18% of teaching hospitals reported a data breach
How can Healthcare organizations protect against data breaches?
Healthcare organizations are frequently targeted by criminals as the risk taken and the reward gained make them an easy target. IT Systems can often be seen as a secondary priority for health assistants who automatically focus their attention on patients and the welfare of others.
It can be argued that this can result in Healthcare IT systems being targeted, so criminals can take advantage of the weak login credentials used by employees. Healthcare IT systems may not be managed and maintained to industry best practice, this may be down to poor training of technicians or complex software which requires a down-level operating system, all of which can result in vulnerable IT systems with limited infrastructure security.
Attacks and attempts to breach data are becoming increasingly common, rising nearly 11% last year. According to Protenus, 407 breaches were reported in 2016, this jumped to 450 in 2017. Thankfully though, the attacks in 2017 were not at such a large scale as the year before, with 5.6 million total records compromised in 2017 vs. 27.3 million in 2016.
With healthcare attacks and reported breaches on the rise, it is important to protect your PHI and ePHI data. The basis of a powerful, resilient, secure, and HIPAA compliant approach is leveraging a secure infrastructure platform. As you assess and improve your protections, be certain that any host you consider is not just HIPAA-certified but also complies with other key standards, such as those of the American Institute of Certified Public Accountants’ (AICPA’s) Statement on Standards for Attestation Engagements 18 (SSAE 18).
Marty Puranik is the CEO and President of Atlantic.Net, a web hosting solution that provides HIPAA-Compliant, Managed, Dedicated, and Cloud hosting.
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.