While much of the news on cybersecurity and data breaches has been focused on attacks aimed at retail stores, security experts are increasingly warning healthcare organizations that hackers are more frequently going after targets in this $3 trillion industry.
In the underground market where cybercriminals sell their stolen goods, medical information can go for more than 10 times what credit card numbers are worth. Due to the high price medical records can fetch, attacks are increasing at an alarming rate. Just last month the FBI warned healthcare providers to be on high alert after Community Health Systems, one of the U.S.'s largest hospital operators was hacked and the information of 4.5 million patients was compromised. A recent study by the Ponemon Institute found that the number of healthcare organizations reporting a data breach is rising, with 40 percent of providers reporting an intrusion in 2013 as opposed to 20 percent in 2009.
Lack of awareness makes healthcare great target
As opposed to retail data breaches or personal identity theft, fraud involving medical information is rarely detected in a timely manner, making it more worthwhile for hackers to go after healthcare records instead of credit card numbers.
"As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit," said Dave Kennedy, CEO of TrustedSEC LLC in an interview with Reuters. "Hospitals have low security, so it's relatively easy for these hackers to get a large amount of personal data for medical fraud."
According to an FBI estimate, one medical record can sell for as much as $50 in an underground marketplace, in stark contrast to the few dollars a stolen credit card might bring in. Stolen medical information commonly on sale on the black market includes names, dates of birth, billing information, diagnosis codes and policy numbers. This data is then used by cybercriminals to create fake IDs in order to purchase prescriptions or medical equipment that can be resold, or to make phony insurance claims.
Low funding, high risk
One of the major drivers in the increase in healthcare data breaches is the recent switch to electronic medical records. In an interview with the Boston Globe, Beth Israel Deaconess Medical Center CIO John Halamka said that IT departments in the healthcare industry commonly receive between only 2 and 3 percent of an organization's budget, compared with the 20 percent offered to those in retail and financial industries, yet organizations are being forced to rely on technical solutions. Perhaps because of the lack of funding, a recent study by security firm BitSight Technology found that healthcare providers respond more slowly to data breaches than any other sector, compounding the problem.
The Ponemon Institute report found that the healthcare industry loses $5.6 billion a year due to security incidents. As cybercriminals continue to find more sophisticated attack methods and target larger amounts of information, healthcare providers will have to find a more secure way of storing their electronic medical records. A reliable way to protect patient data is to utilize cloud storage services. Data saved in the cloud can be easily encrypted and kept in a separate place from other enterprise information. Business continuity procedures are also improved by keeping health records in the cloud, as duplicate data can be stored offsite and kept safe in case a system is compromised or a disaster were to occur. Cloud services are a cost-effective storage option as they are highly scalable and require healthcare providers to only pay for the amount of service being used. This allows cash-strapped organizations to protect sensitive information without breaking the bank.