Protected Healthcare Information Is Increasingly at Risk From Cyberattacks
Healthcare providers and insurers need to tighten their guard: 2015 is predicted to see the highest levels of phishing and hacking attacks ever against Protected Healthcare Information (PHI). According to Experian, the risk of high-profile is “persistent and growing,” to the potential tune of $5.6 billion in 2015.
“The expanding number of access points to protected health information and other sensitive data via electronic medical records and the growing popularity of wearable technology makes the healthcare industry a vulnerable and attractive target for cybercriminals,” the report states. “Several factors suggest the healthcare industry will continue to be plagued with data breach headlines in 2015.”
Healthcare cyberattacks can actually be more dangerous than financial ones. Data from the Department of Health and Human Services reveal that Americans, or more than 37 million U.S. citizens since 2009.
One reason for the spike is that health data is becoming a hot commodity for cyberthieves. Cybersecurity experts say to hackers than credit card data, underlying the need to tighten security in 2015. In fact, last year, the FBI’s Cyber Division alerted healthcare systems of increased cyber-intrusions for financial gains.
Also, with the adoption of Electronic Health Records (EHRs) comes a greater pool of potential data for cybercriminals to breach. The FBI further stated that “the healthcare industry is not technically prepared to combat against cybercriminals’ basic cyber-intrusion tactics, techniques and procedures, much less against more advanced persistent threats,” and “is not as resilient to cyberintrusions compared to the financial and retail sectors, therefore the possibility of increased cyberintrusions is likely.”
Healthcare systems are among the least prepared to handle such attacks. In May 2014, Symantec released its annual Internet Security Threat Report, revealing that 37% of all data breaches in 2013 were in healthcare — the largest number of disclosed data breaches for any industry.
And in June, a BitSight Technologies when it comes to cybersecurity. “In our recent assessment of medical devices used in clinics and hospitals around the country, weak encryption, lack of key management, poor authentication and authorization protocols, and insecure communications were all common findings,” said Chandu Ketkar, technical manager at Cigital, in a statement. “These gaps in security can lead to a compromise in data confidentiality and integrity. When sensitive data is compromised, it can not only create risks for patients, but also expose healthcare providers and device manufacturers to regulatory and business risks.”
One way to combat the potential breaches is through the adoption of data encryption. Forrester Research in September reported that “only about half” of healthcare organizations secure endpoint data through full-disk or file-level encryption.
Other security priorities should include implementation of two-factor authentication, security risk analysis, advanced email gateway software, incident response management, expansion of IT security staff and data loss prevention (DLP) tools.
It is also important to take a proactive approach to security, addressing IT security risks before incidents occur. This includes identifying key threats, reviewing existing security risks, enforcing risk management processes, executing incident management processes in times of crises and empowering the appropriate experts to maintain regular communication about security-related issues.
If you’re going to the HIMSS15 Annual Conference & Exhibition in Chicago, April 12–16, don’t forget to visit us at Booth 8351. We’re offering guidance on the technology challenges and solutions you face in healthcare — including cyberattacks.