The Most Common Reasons for Data Breaches in Healthcare Systems

With its vast amounts of stored patient data and expanding business footprint, the healthcare industry has been a hot commodity for cybercriminals for years. Despite healthcare expenditures on cybersecurity outpacing the global average, the 2018 Thales Data Threat Report states that nearly half (48%) of U.S. healthcare organizations reported a breach in 2017—well above the global average. More than three-quarters of those organizations (77%) reported at least one breach at some point in the past—the highest average of U.S. industries.

As thousands of healthcare professionals gather in Orlando for HIMSS this week, what better moment to call attention to the security gaps that exist in the healthcare field and some of the leading causes for data breaches in the industry.

An epidemic’s afoot

Between 2010 and 2017, the reported number of patient health record breaches increased every year except 2015. In fact, according to the HIPAA Journal, more reported data breaches occurred in 2017 than in any year since records began being published in 2009. Ransomware threat actors, in particular, focused their email-phishing activities on healthcare more than any other industry. In 2016, 34% of cybersecurity incidents involved ransomware, which increased to 58% in 2017; and 8 of the 10 major ransomware families were continually ­­linked to attacks against the healthcare industry.

The growing number of incidents throughout this industry begs 2 questions: Why? And, how?

Why healthcare? Why now?

According to the 2018 Verizon Protected Health Information Data Breach Report, the biggest threat to Protected Health Information (PHI) was—astoundingly—organizational employees. Slightly more than half of the reported breaches linked to employees were caused by human error. However, of the PHI breaches linked to malicious employees, the primary motive was financial gain.

Why is healthcare such an alluring target? According to CSO Online, cyberattacks against the healthcare industry are increasing for 4 main reasons:

  1. The industry’s rapid expansion. Healthcare is the 2nd largest sector of the U.S. economy
  2. Its increased attack surface. Its network includes hospitals, clinics, doctor’s offices, internet-based consulting, and connected medical devices, and more.
  3. The increased reliance on cloud computing. This includes Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) and integration of Internet of Medical Things (IoMT) into healthcare systems.
  4. The growing M&A activity. This creates vulnerabilities as organizations combine patient information and integrate different technologies.

Additionally, PHI and Electronic Medical Records (EMRs) are sought-after targets, garnering up to $1,000 on the black market (compared to a top-end price of $30 for payment card information (PCI) records). PHI can not only be used to obtain prescription drugs and medical services charged to the identity of someone else, it generally contains far more personal information than PCI and other forms of Personally Identifiable Information (PII). Plus, unlike debit and credit cards, PHI and EMR data is typically unchangeable, making it viable for long periods of time.

How are threat actors getting in?

In addition to the prolific use of ransomware in attacks leveraged against the healthcare industry, some of today’s leading threats include the following:

  • E-mail phishing attacks, leading to theft of access credentials. Many healthcare professionals may lack fundamental education and practical-application training in cybersecurity—making them vulnerable to phishing attacks. Also, healthcare organizations facing budgetary challenges may opt to spend funds on medical operations versus controls to mitigate the threat of phishing attacks and ransomware attacks.
  • Loss or theft of equipment and/or data. While PHI and EMR data may be password-protected on employee laptops or tablets, those personal devices are rarely encrypted, leaving patient data and employee credentials dangerously vulnerable in the event of equipment theft.
  • Insider threats, both intentional and accidental. PHI and EMRs must be quickly accessible to an ever-growing number of healthcare professionals—magnifying the risk of insider error or malicious activity.
  • Attacks against medical devices. The increased reliance upon IoMT for patient health monitoring and update of EMRs expands the attack surface for threat actors to target. Additionally, emerging 5G network connectivity could magnify vulnerability exposure in IoMT devices.

Is there a cure?

Whether the root causes of these attacks are insufficient education and training, strained budgets, or new technologies; there are ways to thwart these incidents before it’s too late.

Armor experts can help organizations identify their cybersecurity gaps and partner with them to develop a reliable, sustainable threat-mitigation strategy.

To learn more, visit Armor during HIMMS at Kiosk #400-69, and be sure to attend Ryan Smith’s presentation on Wednesday at 3:45 to hear about architecting scalable and compliant HIPAA and HITRUST applications in public cloud environments

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals