Healthcare Industry and Cyber Crime: The Importance of Data Protection
Cyber crime has been on the rise annually, and it’s even predicted to hit $6 trillion by 2021, up from $3 trillion in 2015. The healthcare industry is a particularly attractive target for cyber criminals—and these attacks come with real, human consequences.
In fact, 89% of healthcare organizations have experienced a data breach involving stolen or lost patient data, according to a study by the Ponemon Institute. This number won’t drop any time in the near future, as medical information is now worth ten times more than a credit card number on the black market. Criminals can use patient data for years, creating fake identities, filing fraudulent insurance claims, or illegally buying medication—as opposed to credit cards, which are typically canceled as soon as suspicious activity is detected.
Data breaches can be extremely costly for healthcare providers, both financially and with patient trust. Damage to reputation and brand is a huge consequence many organizations suffer after a data breach—at a minimum, news stories highlighting the security failure can spread quickly and will continue to show up in search engine results associated with a brand name for an indefinite amount of time.
Patient information is sensitive and personal, and while it’s convenient to store and access digitally, it’s essential to ensure that data is as highly protected as possible from potential attacks, thefts, or security breaches.
Compliance and Regulatory Landscape in Healthcare
Currently, organizations that manage healthcare data around the world are subject to regulatory compliance and oversight, and there are a lot of protections in place for patients. A few of the more well known regulations include:
- HIPAA: The Health Insurance Portability and Accountability Act mandates protections for any health information or data that’s transmitted or digitally held, physical and mental health (current and history) of any given patient, and payment methods. It also requires appropriate safeguards to assure patient confidentiality and protection—there are specific regulations in regards to data transfer, for example. HIPAA also provides guidance for employees and healthcare workers to maintain high standards of vigilance with privacy issues.
- HITECH Act: Introduced in the U.S. in 2009 as part of a larger act, it provided funding for adoption of a national electronic medical records system. It expanded the scope of HIPAA’s privacy and security requirements, and provided more enforcement and larger consequences for non-compliance.
- HIPAA Omnibus Rule: This introduced changes to HIPAA to bring it more in line with the HITECH Act—specifically, it modified the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule. Specifically, it expanded the scope of “electronic media” to account for future changes in technology, increased penalties for non-compliance, and dictated that patient medical history could not be sold and its use for fundraising limited.
- ACA: The Affordable Care Act mandates the sharing of specific types of patient information between the government and healthcare providers.
- mHealth Design and Development Under HIPAA: Since mobile devices are so prevalent across patient populations, this rule protects patient privacy and confidentiality within any app or device that contains or works with identifiable health information. All apps or devices under this law must comply with HIPAA.
- General Data Protection Regulation (European Union): A recent addition to EU regulations—enforced starting in late May 2018—the GDPR sets requirements for protecting personally identifiable information, and requires the use of security measures over sensitive data. There are specific mandates around data protection assessments as well as significant financial penalties for institutions that fail to comply with these measures.
Cyber Crime Threats in Healthcare Are Increasing
The healthcare industry is an easy target for cyber criminals. With a systematic underinvestment in IT security, medical devices that are generally running outdated operating systems and are difficult to update, and increasing adoption of cloud storage solutions across the industry, healthcare organizations have become a goldmine of information for criminals when not properly protected.
Phishing and ransomware attacks are some of the most common in healthcare. Phishing attacks include sending fraudulent emails disguised as a credible sender, asking the recipient to provide sensitive information, such as passwords, credit card or bank information, or social security numbers. Ransomware is software installed on a computer—usually by a recipient opening a malicious attachment—asking the recipient to pay a ransom in exchange for the return of stolen data and personal information.
Both types of attacks compromise healthcare data systems, and can potentially take healthcare software systems offline, creating a situation where patient records can’t be accessed, medical devices are locked, medications can’t be dispensed, and surgeries and procedures can’t be performed. But research studies have indicated that investing money into IT can be an afterthought for many healthcare organizations, even though at least 60% of healthcare data breaches since 2009 could have been avoided with organization-wide encryption measures.
Cyber crime can have a severe impact across healthcare organizations—the consequences can range from loss of sensitive patient data, forced downtime and loss of revenue, damage to brand name and reputation, non-compliance fines, and financial impacts for years following a security incident. It’s essential to have the right strategies and plan in place before a data breach ever becomes a reality.
Applied Network Solutions, Inc. (ANS) is an experienced team of engineers and technologists building and securing critical infrastructures, and we’re experienced in solving critical issues within the network and securing vital data. If you’d like to learn more about how we can help your healthcare organization reach optimal security, comply with regulatory standards, and protect your patients’ data, contact us today.