In 2018, there were 765 million cyberattacks that impacted billions of people. These numbers were significantly higher compared to 2017, and although there wasn’t a major disaster reported like the Equifax breach of 2017, the number of breaches remains stunning.
Attacks like that on Equifax or the Target breach are bad enough, but cybercriminals have their sights set on a much more lucrative prize than just credit card numbers: healthcare institutions are prime targets for cyber attacks. In 2015, an attack on Anthem, a health insurance giant, claimed 78 million U.S. patient records. Three years later, the UK‘s National Health Service (NHS) notified patients that 150,000 patient files were shared after a major breach.
Why attack a hospital or healthcare organization? Because, as The Economist wrote in 2017, data is the new oil, and healthcare institutions are perhaps more reliant on it (both literally and existentially) than almost any other industry.
Hospitals Need Healthcare Data to Function
From the country doctor to the modern research hospital, there has never been a time where healthcare providers haven’t relied on patient data even if it wasn’t recorded on a computer, and instead written with a pen and paper. With that said, today there’s more data than ever as organizations not only steadily create electronic health records (EHR), but also generate more data through internet-equipped devices like digital pacemakers, dialysis machines, and mobile apps. With these come the issue of frequent updates and checkups, which are what keep society healthy and well. For example, if a patient goes in for a routine STD test once a year, that data is added to their health record, and so on.
The existence of this data itself isn’t a bad thing. Data is knowledge and knowledge is power. Access to a vast trove of data allows providers to improve the patient experience, better invest in prevention and prediction, unlock new research, and generally improve patients’ lives outside of the hospitals. It’s one of the many reasons modern medicine is so effective.
While the benefits of data for healthcare providers and patients are real, though, it does attract a certain amount of attention from those who make a living from stealing data, too. But it’s not just the data itself it’s also the woeful availability of that data.
Data is Growing but Hospitals Aren’t Protecting It
All U.S. healthcare organizations that process or handle patient data must follow the Healthcare Insurance Portability and Accountability Act (HIPAA). HIPAA is a federal law designed to provide baseline privacy standards for health information, like medical records, to avoid exposing this data to anyone other than the people who absolutely need it namely, patients and their doctors. All covered entities must comply with privacy and security rules (like minimum encryption standards) or face crippling fines from the Department of Health and Human Services.
Despite this, HIPAA isn’t enough to keep attackers at bay, particularly because hospitals and other health organizations don’t go technologically far enough to protect that data. For example, Duo, a security firm and part of Cisco, surveyed healthcare endpoint security in 2016 and found that:
- 82 percent of respondents weren’t using the latest version of their operating systems
- 22 percent of respondents were using outdated internet browsers
- 52 percent of healthcare endpoints used Flash (an easily exploited vulnerability)
- Healthcare customers log into 2x as many apps (greater chances of compromise)
The issue of using an OS like Windows XP years after Microsoft stopped supporting it are huge. Healthcare organizations do have a good reason to be so behind, though huge system updates could come with service outages, which are critical in a healthcare setting, as well as potential data loss if things go badly. However, the combination of the sheer number of vulnerabilities with the wealth of data makes healthcare institutions huge targets.
How Healthcare Institutions Can Fight Back
According to Ernst and Young, medical records are incredibly valuable: they sell for $60 per record, whereas a stolen credit card number can earn as little as $1. When you combine that with so many potential points of entry, it’s clear to see why healthcare has a target on its back. With all of that in mind, healthcare institutions can’t change the value of their health records, but they can do more to protect them.
One of the simplest ways to fight back is through employee training. According to Proofpoint, imposter emails are a huge problem for healthcare companies. They’re not only growing in number, but opening one can release a banking Trojan, which can take down a system entirely. Because they target people with access to data or other systems (through a public-facing email), it only takes a few clicks to compromise data. Regular training on the latest email spoofing trends, however, can be enough to protect systems from malicious attacks carried out via vulnerable people who are just trying to do their job.
Additionally, organizations can ensure they extend their cybersecurity systems beyond their network of computers. Investing in proper device security can cut off the avenues of access available to criminals. Embracing the security offered by the blockchain trend in healthcare can also help protect data despite device vulnerabilities.
Healthcare Can and Must Do Better
The healthcare industry is one of the most vulnerable sectors in terms of cybersecurity. Not only does it collect huge amounts of intensely personal data, but the data is incredibly valuable to cybercriminals. Worse still, there are a plethora of ways for attackers to attempt to breach the system thanks to both gross vulnerabilities and the number of devices that now play a role in healthcare.
Healthcare organizations can do better. More importantly, they must do better because as much as the healthcare industry benefits from data, patients also have a right to privacy. By investing in both technology and training, the industry can more confidently say that it truly takes the most appropriate steps towards protecting patients’ health and their data.