Hacking: A Digital Epidemic - Part 1 of 3
Many current medical IT security issues first surfaced about a decade ago. Part 1 of our series outlines the background and circumstances that led to the extraordinary challenges facing healthcare IT security today.
As the first cases of COVID-19 began to make the news, cybercriminals immediately recognized new vulnerability and grew increasingly aggressive. By early March 2020, a major Czech Republic hospital reported being victimized by a significant cyberattack.1 Days later, the US Department of Health and Human Services experienced a series of attempted hacks, apparently to impede its efforts to fight the virus.2 Remote workers, including those in healthcare, now encounter heightened online threats, largely in the form of user identity theft and weaponized emails. In the midst of a pandemic, cybercrime flourishes, threatening the safety of every enterprise, including healthcare systems.
Today, online healthcare information is one of the most susceptible, profitable targets for cybercrime. The primary reason: The rapid proliferation of connectivity and medical data has outpaced the implementation of rigorous cybersecurity around healthcare. By learning more about trends in cybercrime, you can make better informed decisions about the computer security systems suited to safeguarding your organization. Because such systems typically require significant investment, this article also investigates payment strategies and options.
The Privacy Promise
When Congress introduced the Health Insurance Portability and Accountability Act (HIPAA) in 1996, proponents hailed it as an assurance of stringent security and privacy for patient information. The Department of Health and Human Services (HHS) planned to oversee performance of the hospitals, insurers and related organizations that served as stewards of millions of personal medical records.
Breaches begin and continue to rise
However, as growing amounts of medical information were digitized and placed online, hackers and other malefactors began to breach computer systems that held the data. In 2010, HHS counted about 200 major data breaches. Over the course of the next several years, HIPAA-related data hacks continued their upward trend, reaching 510 in 2019.3 It’s interesting to note that HIPAA opted to count only those hacks that involved 500 or more patient records. We can only speculate as to how many smaller attacks went unreported. But why are medical records in such high demand by hackers? And why are they so difficult to secure?
Few documents in contemporary life are as comprehensive and intimate as medical records and other protected health information (PHI). Each may hold significant details of a person’s medical history, including physician appointments, lab tests, diagnoses, prognoses, medications, supplements and prescriptions.
Other data commonly specifies a patient’s employment history, insurance, credit cards, bank accounts, Social Security number, demographics, past addresses and names of relatives.
Dark web costs
On the dark web (the digital black market), a single stolen credit card might carry a price tag of just 20 cents. In contrast, one medical record could sell for upwards of $1,000.4 (Whatever the cost, most such illicit sales are often transacted in bitcoins.) In any case, a stolen medical record commands one of the highest black-market prices for any ill-gotten data. Even the value of a lifted financial record comes in at a distant second place. Why the high price? The illegal possession of PHI and medical records enables high-dollar, high-damage crimes to be committed with impunity. The criminal acts committed typically include identity theft, fraud and other felonies.
In most instances, online theft of medical records may remain undetected for weeks or months. Cybersecurity analysts refer to this period (between a breach’s occurrence and eventual discovery) as “dwell time.” In 2018, median dwell time for hacks was about 80 days, though longer periods are common.5 Damages to victims can be profound, long-lasting and far-reaching.
Illegal physician personification
Some data breaches gain access not only to medical records, but to complete sets of physician credentials. These typically command an even higher price than a medical record, especially because the criminal gains the potential to bill multiple insurance companies for countless services, to write prescriptions and even to pose as a legitimate, practicing doctor.
Why is Healthcare a Prime Target?
Let’s consider the three overriding reasons that healthcare institutions make such attractive targets for cybercriminals:
- Information magnitude
Compared to most other industries, healthcare keeps an extraordinary volume of data online 24/7.6
- System obsolescence
Large numbers of healthcare organizations use outdated operating systems and vulnerable applications. (As of March 2020, more than half of medical data breaches involved imaging devices, most of which ran outmoded software.7)
- Security negligence
Most importantly of all, many healthcare-related institutions have simply “failed to address easily exploitable holes in their security defenses.”8
What’s the delay?
These observations raise the question: Why have so many healthcare institutions not given cybersecurity the attention and budget it clearly deserves? Many industry analysts believe the incredibly rapid expansion of both healthcare data and Internet dependence simply overshadowed the imperative to adopt robust, scalable security.
In fact, a substantial number of healthcare executives today admit they need to do more about cybersecurity, even as they witness the inestimable damages of one healthcare data breach after another. In a recent study by Carbon Black, when asked to assign a letter grade to their organizations’ cybersecurity quality, most healthcare chief information security officers gave themselves a “C.”9
By the numbers
Does their assessment appear exaggerated? Then consider these facts: Fifty-three percent of healthcare organizations have undergone a PHI breach within the past year. On average, such a breach exposes more than 7,000 records and costs $1.8 million.10
While a data breach may seem like the ultimate violation of a computer system’s information security, another darker threat looms on the threat horizon: ransomware.
Explore Part 2 of our article series as we investigate some of the most common PC threats, as well as ways to recognize and mitigate them.
Or jump ahead to Part 3. The final installment looks into the imperative need for stronger data security systems, as well as prudent methods for handling related costs.
Find more information on our services and banking teams at: