The healthcare industry can’t catch a break.
Healthcare is predicted to be the most targeted industry for cyberattacks in 2017, according to the 2017 Data Breach Industry Forecast from Experian.
Poor cybersecurity in the healthcare sector, combined with inventive cybercriminals and the high value of electronic health records (EHRs), support Experian’s prediction.
If the prediction is correct, it will mark the continuation of a trend that has been underway for years. Predictions of a massive spike in healthcare cyberattacks have fallen on deaf ears.
Health insurers were the main targets back in 2015. Looking to this year, Experian expects hospitals networks will see a rise. They tend to have decentralized structures and are harder to secure.
Electronic health records are exquisitely vulnerable for several reasons.
As a result, even if there are significant protections in place, it just takes one employee accessing a record from one obsolete or unprotected device to introduce a cyber-infection into a larger system.
The use of mobile applications in healthcare is another growing threat. It’s likely that attackers will seek weaknesses as these convenient apps become more popular. In addition, mobile devices are small and easy to steal.
Patients use them to access their own information from home. Doctors and nurses use them throughout hospitals. Those who own them carry them everywhere. Because of these risks, mobile devices require special security policies and procedures, which are often left unwritten or unenforced.
A stolen credit card can only be used until the victim reports it missing, which isn’t very long. Stolen EHRs, however, can be used in multiple scams for longer periods of time.
For thieves, they are the gift that keeps on giving.
EHRs contain birth dates, social security numbers and a variety of health information. They can also contain diagnosis codes, policy numbers and billing information. This information can be used to open fraudulent credit card accounts that can avoid discovery for months.
A clever thief could use the information to bill insurance companies or the government for contrived medical services. The information can be exploited to create fake I.D.s, which can be used to buy medical equipment and drugs that can be resold for money, according to a report by Reuters.
The average price paid for stolen healthcare information as part of a full identity profile is $20 according to a white paper by EMC. An unclassified FBI report puts the black market rate of a partial EHR at $50.
There’s evidence that stolen healthcare records are being sold and re-sold on the dark web, where users can maintain anonymity.
Ransomware is a super effective means by which hackers make money from EHRs. It has taken the industry by storm.
Ransomware is activated when an unsuspecting user clicks on a malignant link, i.e. an infected email. The infection quickly encrypts any files it can access, effectively locking them and making EHRs inaccessible.
Next, the malware demands ransom to unlock the system. Once ransom is paid the records are unfrozen (hopefully) and business can continue as usual.
Victims are forced to pay
Freezing hospital records is so disruptive that victims are often willing to pay. In 2016 Hollywood Presbyterian Medical Center made headlines when it paid 40 bitcoins, valued at about $17,000, to resolve a ransomware attack.
Other potential repercussions include enormous amounts of wasted time and resources, and a damaged reputation. To top it off, the thieves become richer and stronger.
Cybercriminals have found a winning tactic, and are honing and improving ransomware programs to outwit even more healthcare organizations. Experian expects ransomware attacks to continue in 2017.
HIPAA penalties can follow
Unlike stolen health records, which are considered compromised, a ransomware attack can restore files after the ransom has been paid.
People once thought this meant a ransomware attack did not constitute a HIPAA breach. However, federal regulators have dispelled this myth.
A fact sheet recently published by the Department of Health and Human Services suggests a ransomware infection is a HIPAA breach unless victims can prove “a low probability that has been compromised.”
So the burden of proof is on the victim.
Ransomware is not the only cyberthreat healthcare organizations face. Thefts and losses of laptops and phones that hold EHRs are a major issue.
At the Indiana Regional Medical Center an employee walked away with the information of 1,388 patients, according to the Pittsburgh Post-Gazette.
Human error was to blame when an employee at Highmark in Pennsylvania wrongly mailed health information – including names, addresses, birthdays, medications, and other health data – of 2,589 people.
“Big healthcare hacks will make the headlines, but small breaches will cause the most damage,” Experian predicts in its report.
While massive breaches dominated the headlines last year, smaller healthcare data breaches were abundant.
More than 95% of healthcare data breaches in 2016 involved 200,000 or fewer records, affecting more than 1.4 million people, according to the report.
In 2017 healthcare businesses must make tough monetary decisions when it comes to investing in effective cybersecurity technology to prevent security breaches. It’s a non-medical investment that will buy peace of mind and will prevent massive expenses down the road.
HIPAA Violation Cases May Hit Record in 2016