If the healthcare industry went to see a security doctor, the prognosis would not be good. Healthcare data breaches have spread rapidly and no simple cure is in sight.
But why is this happening? Why is healthcare a target? Why isn’t healthcare IT security able to stop these attacks? We explore four reasons why below.
Huge jump in security breaches in healthcare
The healthcare industry’s status as a target should be clear to anyone who has checked the news lately.
Criminal attacks on healthcare networks have increased 125% in the past five years and are now the number-one cause data breaches in the industry, according to Ponemon research.
News of these breaches never seems to end:
- Last week, Excellus BlueCross BlueShield disclosed that 10 million records may be exposed in a recent breach.
- 5 million records may have been breached at UCLA Health System according to a disclosure in July.
- Anthem earlier this year disclosed a breach that exposed about 80 million records.
Why is healthcare a target?
The healthcare industry is huge – encompassing everything from a local dentist to a massive pharmaceutical company. So while it’s difficult to nail down every reason the industry is suffering data breaches, below are four major factors.
Reason #1. Healthcare data is valuable
Healthcare organizations – such as doctors’ office, hospitals, and insurance providers – store enormous amounts of patient data. This data sells for a premium on the black market because it can be used for scams that last much longer than a typical stolen-credit-card scam.
For example, a stolen credit card number may provide a thief with a few purchases before it is detected and blocked. The window of opportunity can be shut in a few hours.
However, a stolen medical identity can pay off for weeks or months. A thief can buy medical equipment and drugs for a longer period before vendors, insurers, or individuals catch on.
This is why stolen health credentials can cost 10- to 20-times the value of a US-credit card number on the black market, according to Reuters. They can range from about $470 for a single Medicare number, according to NPR, down to about $6.40, according to cyber security journalist Brian Krebs.
Reason #2. Healthcare IT security is lagging
Healthcare organizations lag many other industries in building secure architecture. For example, even though they hold similar types of data, healthcare organizations tend to be less secure than financial organizations, according to a New York Times report.
This is true for many reasons. First, clinical applications and emergency room systems may predate the massive rise in cybercrime. They are not designed with security as a priority and are easier to breach.
Also, more and more medical devices are network-enabled. The healthcare “internet of things” is predicted to grow to a $117 billion market by 2020, according to MarketResearch.com.
This expands the attack surface in healthcare organizations and expands the number of endpoints that have to be patched and supported to avoid a data breach.
Reason #3. Healthcare security processes are fragmented
“Technology” is not synonymous with “security.” A magical silver-bullet does not exist that can kill every cyber-threat.
A sound approach to healthcare network security has to include the right systems and the right processes to protect patient health data and avoid a breach.
The HIPAA guidelines and penalties have provided some direction and incentive to comply, but many organizations have not gone far enough to train their people to improve data security.
Zafar Chaudry, a research director at Gartner, suggests that many healthcare employees are not interested in learning new technology and may view security guidelines as obstacles to providing care.
High amounts of turnover and temporary staffing in healthcare may also be a barrier to establishing secure processes, according to Gary Palgon, VP of healthcare solutions at Liason Technologies.
Reason #4. Widespread use of electronic health records
The age of electronic health records (EHRs) is upon us. About 90% to 95% of clinical information systems use them, according to research from Frost & Sullivan.
The growth in health data is exploding. In 2013, the amount was estimated at 153 exabytes, and by 2020 it’s estimated to reach 2,314 exabytes, according to research from EMC and IDC.
According to the same report, if you loaded all the health data in 2013 onto the memory in a stack of tablets, those tablets could fill about 75% of a large hospital (1,000 beds). In 2020, there would be more than enough to fill 11 hospitals of the same size.
The widespread adoption of EHRs has not coincided with widespread adoption of sound IT security in healthcare. While this data becomes easier and faster to share, it also becomes easier and faster to steal.
More 90% of healthcare data, such as medical records, claim histories, and patient protected health information – needs more protection, according to the 2014 EMC and IDC research. Of that amount, 57% is “somewhat” protected and 43% is “not adequately” protected.
Although EHRs have been hailed as a way for healthcare organizations to save money and improve outcomes, many providers are still trying to push above the flood of data that has emerged.