It’s a cybercriminal’s dream: easily obtaining files that contain a person’s social security number, address, email address, credit card data and even medical history. Healthcare organizations are constantly under attack from hackers, especially because their security is often much more relaxed than other organizations.
Most industries had a plan to switch over to digital, but healthcare organizations had almost no strategy in place. The change happened rapidly, as shown in a 2014 government study. In 2008, just 9.4% of hospitals used electronic health records. By 2014, 96.9% had converted.
Without taking into account a security infrastructure for those new digital systems, the rapid shift left healthcare organizations vulnerable to cyber attack: almost 90% of healthcare organizations surveyed in a Ponemon Institute study experienced a data breach over the past two years.
A lax cybersecurity protocol can lead to vast losses. On average, it’s estimated that cyber attacks cost the healthcare industry $5.6 billion per year.
So why are healthcare records being significantly targeted by cyber criminals? There are several reasons.
A High Prize
Healthcare records fetch for a high price on the dark web, as each individual record is worth around $380, or 2.5 times the average across industries, according to the Ponemon Institute. Why? Health records have a good bang for their buck, containing credit card data, email addresses, social security numbers, medical history records and employment information. Cyber criminals use the data to launch spear-phishing attacks, commit fraud and steal medical identities. Healthcare data can also be used to steal research and development, disrupt the supply chain and manipulate stocks.
Ransomware: A Major Threat
Cybercriminals are starting to use ransomware to make even more money off of the healthcare organization itself. In 2016, 88% of all ransomware attacks were centered on the healthcare industry. A 2016 IBM survey revealed 70% of attacked businesses paid to have their stolen data returned. Hackers will usually request their sum be paid in bitcoin currency, and some have even demanded a ransom as they hack in and control entire hospital computer systems.
In February 2016, a Hollywood hospital was attacked and staff had to use pen and paper to record patient information while ambulances were sent elsewhere. The hospital’s systems were down for a week before they ended up paying the attackers 40 bitcoins ($17,000) to release their patient data and computer systems.
Major Vulnerabilities: Employees and Encryption
One of the greatest cyber threats to a healthcare organization is its own employees. In January 2017 alone, 31 breaches affected almost 390,000 patient records, according to Protenus, a health data security and patient privacy analytics firm. Over half of those breaches came from people within the organization.
Another major threat is the lack of encryption: the healthcare sector has one of the lowest overall rates of data encryption, with just 31% reporting that they use encryption extensively in a study by Sophos, the lowest percentage out of all industries surveyed. 20% reported they do not use it at all.
Counteracting Attack Attempts
Due to the rapid changeover to electronic health records, and the fact that healthcare organizations continue to face more digital changes, the need for cybersecurity protocol grows more each day. Patients who suffer loss from compromised records often have little to no recourse in these situations, either, and many healthcare organizations have ended up paying the federal government fines, and settling in civil suits. Many smaller organizations without experts on staff to prevent these attacks are the most vulnerable, and in that case, it’s important to train all staff members on proper IT protocols. If a user can recognize a phishing attempt, then attacks can be avoided more often.
The best ways for healthcare organizations to avoid these issues are outlined on the FBI’s ransomware page:
- Regularly update software
- Conduct regular backups
- Increase use of encryption
- Store data offline
- Install some form of email/web security
- Increase incident response time
- Create an IT disaster recovery plan
- Purchase or update your anti-virus plan
- Train employees in cybersecurity basics
- Allot more money toward the cybersecurity budget
Healthcare organizations would also benefit from hiring information security professionals to make sure their cybersecurity infrastructure is set firmly in place. Employers in this field plan to expand IT staff by around 20%, which is higher than any other industry.