If the healthcare industry went to see a security doctor, the prognosis would not be good. Healthcare data breaches have spread rapidly and no simple cure is in sight.
But why is this happening? Why is healthcare a target? Why isn’t healthcare IT security able to stop these attacks? We explore four reasons why below.
The healthcare industry’s status as a target should be clear to anyone who has checked the news lately.
Criminal attacks on healthcare networks have increased 125% in the past five years and are now the number-one cause data breaches in the industry, according to Ponemon research.
News of these breaches never seems to end:
The healthcare industry is huge – encompassing everything from a local dentist to a massive pharmaceutical company. So while it’s difficult to nail down every reason the industry is suffering data breaches, below are four major factors.
Reason #1. Healthcare data is valuable
Healthcare organizations – such as doctors’ office, hospitals, and insurance providers – store enormous amounts of patient data. This data sells for a premium on the black market because it can be used for scams that last much longer than a typical stolen-credit-card scam.
For example, a stolen credit card number may provide a thief with a few purchases before it is detected and blocked. The window of opportunity can be shut in a few hours.
However, a stolen medical identity can pay off for weeks or months. A thief can buy medical equipment and drugs for a longer period before vendors, insurers, or individuals catch on.
This is why stolen health credentials can cost 10- to 20-times the value of a US-credit card number on the black market, according to Reuters. They can range from about $470 for a single Medicare number, according to NPR, down to about $6.40, according to cyber security journalist Brian Krebs.
Healthcare organizations lag many other industries in building secure architecture. For example, even though they hold similar types of data, healthcare organizations tend to be less secure than financial organizations, according to a New York Times report.
This is true for many reasons. First, clinical applications and emergency room systems may predate the massive rise in cybercrime. They are not designed with security as a priority and are easier to breach.
Also, more and more medical devices are network-enabled. The healthcare “internet of things” is predicted to grow to a $117 billion market by 2020, according to MarketResearch.com.
This expands the attack surface in healthcare organizations and expands the number of endpoints that have to be patched and supported to avoid a data breach.
Related: HIPAA for IT Providers: The most important rules to know
“Technology” is not synonymous with “security.” A magical silver-bullet does not exist that can kill every cyber-threat.
A sound approach to healthcare network security has to include the right systems and the right processes to protect patient health data and avoid a breach.
The HIPAA guidelines and penalties have provided some direction and incentive to comply, but many organizations have not gone far enough to train their people to improve data security.
Zafar Chaudry, a research director at Gartner, suggests that many healthcare employees are not interested in learning new technology and may view security guidelines as obstacles to providing care.
High amounts of turnover and temporary staffing in healthcare may also be a barrier to establishing secure processes, according to Gary Palgon, VP of healthcare solutions at Liason Technologies.
The age of electronic health records (EHRs) is upon us. About 90% to 95% of clinical information systems use them, according to research from Frost & Sullivan.
The growth in health data is exploding. In 2013, the amount was estimated at 153 exabytes, and by 2020 it’s estimated to reach 2,314 exabytes, according to research from EMC and IDC.
According to the same report, if you loaded all the health data in 2013 onto the memory in a stack of tablets, those tablets could fill about 75% of a large hospital (1,000 beds). In 2020, there would be more than enough to fill 11 hospitals of the same size.
The widespread adoption of EHRs has not coincided with widespread adoption of sound IT security in healthcare. While this data becomes easier and faster to share, it also becomes easier and faster to steal.
More 90% of healthcare data, such as medical records, claim histories, and patient protected health information – needs more protection, according to the 2014 EMC and IDC research. Of that amount, 57% is “somewhat” protected and 43% is “not adequately” protected.
Although EHRs have been hailed as a way for healthcare organizations to save money and improve outcomes, many providers are still trying to push above the flood of data that has emerged.
HIPAA for IT Providers: The most important rules to know
HIPAA Breach Notifications: Anti-marketing in healthcare
HIPAA Security Rules for IT: What are they?
HIPAA Security: Most business associates suffer data breaches
HIPAA 2015: Expect more attacks, enforcement, and lawsuits