When doctors, hospitals and other healthcare providers welcome patients into their care, they want them to feel well looked after in every respect. From medical treatment itself to the sensitive information that goes into records, patients need to feel secure during what can be a very vulnerable time with illness or injury. Yet, the sensitivity of patient information makes the sector itself particularly vulnerable to cyberattacks. In 2018, the U.S medical and healthcare sector had 155 breaches, which accounted for nearly 28% of data breaches across all sectors. That’s more than any other area except business. Healthcare also had the highest exposure per breach, with 2.9 million patient records affected, according to the ID Theft Center.
For healthcare, such violations to information systems have gone from a matter of “if” to “when,” a phenomenon that has large and small healthcare organizations struggling to figure out how to prevent or minimize breaks in their systems’ integrity.
Why Healthcare Data is a Target
The leading reason why criminals steal data is to sell it for profit. Financial records, such as credit card information, fetch a higher price than medical data, yet cybercriminals put extensive time and resources into targeting healthcare. Stability may be the reason. People can cancel a credit card account quickly, but medical data endures. Health insurance information for patients and employees, for example, often includes Social Security numbers, dates of birth, addresses, diagnoses, prescriptions and payment information. Criminals use this data to commit various forms of identity theft. Healthcare IT News reported that, in 2018, UnityPoint Health (a network of hospitals, clinics and home care services in Iowa, Illinois and Wisconsin) inadvertently exposed information for 1.4 million patients during a phishing attack when someone posed as an executive within UnityPoint via emails. The stolen data included all of the above items, plus driver’s license numbers. It was the second data breach for the health system that year and the biggest data breach for the health sector in 2018.
The University of Illinois at Chicago notes that medical data could soon match or surpass financial data in value on the black market. This hasn’t happened yet, but the healthcare industry does not appear to be as prepared with data security as other sectors, according to Health Informatics.
High Cost: Dollars and Patient Loss
As valuable as healthcare data is to criminals, the breaches they commit are extremely expensive for healthcare providers. The Ponemon Institute, which conducts independent research on data protection, found that healthcare data breaches cost the sector $408 per patient record—three times more than any other industry—according to the 2018 Ponemon Cost of Data Breach Report. The breaches cost U.S. healthcare providers an average of $7.91 million—more than providers in any other country. Buffalo-based Erie County Medical Center, for example, had to pay out nearly $10 million to rebuild its systems after an April 2017 ransomware attack. The Chicago Tribune reported that a year earlier, Advocate Health Care agreed to pay $5.55 million after three data breaches involving its physician-led medical group subsidiary, Advocate Medical Group.
Post-breach costs include those for implementing or updating IT tools to prevent and detect breaches; hiring cybersecurity experts, lawyers and PR firms; and possible litigation costs. HIPAA fines can be steep. Usually levied within three years after a breach, they are based on culpability and can range from $100 to $50,000 per violation. The Office of Civil Rights determines culpability and can require a provider to overhaul its system and hire an independent monitor for three years. According to Healthcare Finance News, these measures can cost an institution $10 million.
There also is the tremendous loss of time and associated costs that comes when a provider and its employees must do damage control. And finally, there is the loss of reputation that affects patients, employees and relationships with other businesses.
A recent scholarly study, financed in part by the National Science Foundation, found from a matched sample of 761 U.S. hospitals that while data breaches do not seem to affect patients’ short-term choices, the cumulative effect of breaches over a three-year period decreases the number of outpatient visits and admissions. The more patient records stolen in a breach, the greater the patient loss. And when an organization is in a marketplace with greater competition for patients, the more breaches it has, the greater the loss.
Data Breaches Take Many Forms
HIPAA Journal notes that a third of all healthcare data breaches in 2018 involved email. Phishing, unauthorized email access, and misdirected emails accounted for many of the attacks. Cybercriminals attack healthcare providers in other ways as well. The Identity Theft Resource Center puts breaches into seven categories: insider theft; hacking or computer intrusion (which includes phishing, ransomware or malware, and skimming); data on the move (the electronic transfer of information, or physical transfer of equipment such as a laptop or hard drive); physical theft; employee error or negligence (including improper disposal or loss); accidental internet exposure; or unauthorized access.
Five areas within healthcare organizations are especially vulnerable. These trends are not entirely new, but cybercriminals continue to advance in their methods, which will keep healthcare IT executives on their toes.
- The cloud – Retaining large amounts of confidential information in the cloud is convenient, but it is challenging for IT staff to protect. Criminals “don’t need to spend reconnaissance time looking at on-premises components,” Abdul Rahman, the cybersecurity chief scientist with Fidelis, told Healthcare IT News. “It takes a lot more effort to defend the terrain than it does for them to attack it.” Monitoring traffic and data flow to and from the cloud is increasingly necessary.
- Unsecured mobile devices – Connected devices, such as smartphones and Web-connected medical equipment, can be weak points and need to be secured and constantly updated. If providers allow employees to use their own mobile devices, having a policy in place for BYOD—bring your own device—can help control system access and how each device is profiled.
- Ransomware – This continues to be a major threat to healthcare data security as it takes on new forms. Cybersecurity expert McAfee Labs believes ransomware technology will go beyond extortion to cyber-sabotage and organization-wide disruption. Communicate to employees that IT weaknesses aren’t all technology-related. Users pose risks as well and need to be regularly trained and updated on the latest cyber schemes.
- IoT threats – The Internet of Things and connected healthcare promise major advantages for providers and patients, but wearable and implantable IoT devices can be vulnerable to attack. Protecting the collection, storage and transmission of the data they produce is a major issue. Most devices do not support an endpoint security agent, so they can’t block attacks. Finding a way to guard these unmanaged components will be key.
- Users themselves – Despite the efforts of many providers, healthcare employees still do not receive enough education about cybersecurity, which presents a serious threat. Training should include daily reminders of security policies. To that end, weak passwords are still common and expose healthcare providers to password spray attacks, where criminals try a common password on multiple accounts. According to HealthTech, the most-used passwords in 2018 still were “12345” and “password.”
HealthTech points out that on the more technical side, exploitation of the Kubernetes Hole may arise. Kubernetes is a data systems platform, including a cloud. Versions prior to v.1.10.11, v1.11.5 and v1.12.3 all handle error responses incorrectly, which can lead to unauthorized access to backend servers. The Register, which reports on the tech community, indicates that cybercriminals can use Kubernetes vulnerabilities to steal data, inject malicious code or bring down applications and services behind a firewall. Healthcare providers’ IT staffs should be aware if they use a Kubernetes system and apply patches as needed.
There’s More That Providers Can Do
While CIOs and IT staffs have been working hard to protect data and anticipate the next source of potential attack, a shortage of cybersecurity professionals in 2018—and the increased need for them—poses challenges. Hospitals and other medical organizations will need to invest more in people for security, according to Shefali Mookencherry of Impact Advisors. “Organizations will continue to progress toward incident response, security analysis, risk management programs, and invest in business continuity and disaster recovery efforts,” he told Health IT Security. “They’ll also look at awareness and training programs that should be done during annual HIPAA training.”
Innovative technologies will become increasingly important, including blockchain, artificial intelligence, medical-device security, network security and telehealth. As 5G and 6G networks come into use, especially around mobile apps, they should become a security priority as well. New platforms require new infrastructure and operating models, which pose new vulnerabilities.
Backup systems and cybersecurity insurance are ways that healthcare providers can protect themselves and their patients. Data systems staff should test the backup system regularly to be sure they can restore and recover data should an attack occur. Cyberinsurance is becoming more in demand as well. Fewer carriers are willing to underwrite cyber risk, and there is no standard, universal policy, so healthcare organizations will need to shop around.
“Some carriers are putting a maximum limit of $10 million on coverage,” Corinne Smith, a healthcare attorney with the national law firm Clark Hill Strasburger, told Health IT Security. “Underwriters are taking a cautious approach to provision of system failure and business interruption coverage.”
Investing in Security Protects Business
Having security processes in place is expensive, but the cost to recover from a breach can be even higher. In late 2018, Anthem Inc., the country’s second-largest health insurer, agreed to pay a record $16 million to the federal government to settle possible privacy violations, according to the Los Angeles Times. A data breach at Anthem in 2015 exposed the personal details—including Social Security numbers and birth dates—of nearly 79 million people. Anthem sells coverage in markets from New York to California.
In general, healthcare organizations spent about 5% of their total IT budget on security in 2018, according to a story in Becker Hospital Review. In comparison, banking and financial services companies spent 7%, and retail and wholesale spent 6%. While it may be challenging for hospitals and other healthcare providers to put more resources toward cybersecurity as demand for spending comes from other areas as well, some systems are finding a way. The Chicago Tribune notes that Advocate Aurora Health is investing more in cybersecurity, as is Amita Health, which has 19 hospitals in Illinois. Nidhi Luthra, Amita’s chief information security officer, says she focuses on the issue “24/7” and has a department dedicated to the issue.
As healthcare evolves and changes dramatically, security of its data will likely evolve as well, with answers to security threats coming from those IT leaders and their staffs who find the best ways to care for data, as doctors care for patients.