Hospitals, health systems, physician groups, insurance companies, and every kind of medical facility are prime targets for cyber attacks in 2017 and beyond. According to Accenture, one in 13 patients will have their data compromised, costing hospitals more than $305 billion over the next five years. Beyond the typical risks involved with identity theft, medical information can help criminal hackers launch prescription drug, billing, or other scams.
At the same time, many organizations are falling victim to ransomware attacks. In fact, the street value of personal data is decreasing as so much patient data has become available and word has spread through the criminal community that healthcare organizations have paid ransomware demands in order to retrieve critical data encrypted or stolen by malicious software. Ransomware is becoming seen as more lucrative.
With the passing of the Patient Protection and Affordable Care Act, healthcare organizations had to respond quickly to new requirements such as electronic health records (EHR), while maintaining a sharp focus on regulatory compliance and HIPAA requirements. This can pull resources away from security in ways IT leaders in other industries did not experience.
Banner Health, which operates 29 acute-care hospitals and other facilities, recently notified 3.7 million patients, health plan members, visitors and others of a breach that started with retail data in its food service facilities and spread to include personal health information. It has been reported that insurance ID-card-producer Newkirk Products and 21st Century Oncology lost 3.4 million and 2.2 million records, respectively.
According to a 2015 IBM report, the rate, size and cost of healthcare data breaches is increasing. Five of the eight largest data breaches reported since 2010 involved medical information. The report added that healthcare breaches cost their organizations an average of $363 per record, compared to an overall average of $154.
Identify the Threats
Networked devices, electronic medical records, wireless networks, human error, malicious acts by internal people, medical device hijacking, legacy systems, the list goes on and on. Do your team members and stakeholders fully understand the challenges?
- Conduct a vulnerability assessment, reviewing both software and hardware as well as systems and data architecture.
- Invest in software to help monitor and mitigate threats.
Prepare the Team
From the people who monitor security daily to the people responsible for your infrastructure, to the management, legal and public relations teams that would have to respond to a breach, preparation and planning are key.
- Identify your best sources for industry-specific intelligence, best practices, and indicators of compromise.
- Obtain and share ongoing continuing education, including both highly technical training for your IT team as well as appropriately targeted information for your key stakeholders in other areas of the organization.
- Examine the security practices of your key vendors.
Understand the Evolving Threat
Since the massive healthcare data breaches that began in 2015, the black market has actually become somewhat saturated with patient data, driving the profit down for criminals. However, the ransomware approach has become more attractive to thieves as they have watched healthcare organizations pay to retrieve their data because they had no other choice. In February 2016, Hollywood Presbyterian Medical Center paid a $17,000 ransom in Bitcoin after malware infected its systems. By that summer, one hacker claiming to have stolen ten million records from three hospitals and one insurance company was demanding $500,000.
Some reports have suggested that there are more than 300 malware strains and 150 variants of ransomware.
- Ensure that adequate backups are protected offline to ensure that mission-critical data can be restored quickly in the event of a malware attack.
Consider a Managed Service Provider (MSP)
A large, well-funded MSP, like Vology, can bring economies of scale that most organizations simply cannot afford internally. From assessment to infrastructure to dedicated security staff, a good MSP can provide expertise and services that are hard to match — and do so in a cost-effective manner. Many organizations that work with MSPs report their team can now invest more time on delivering value for their stakeholders and patients, and less time on defense. It’s important to note that all MSPs are not created equal, though. There are many smaller players in the industry that simply do not have the scale to provide more security for less cost.