The health care industry has a firm responsibility to defend the security of its clients' data. With most health care data stored online, that means hospitals and other health care facilities need to have top-tier cyber security standards in place. Right now, that's not happening – and that's a real problem.
Myriad health care cyber attacks amid little protection
According to the Identity Theft Resource Center's data breach information – current as of Dec. 1 – around 176.275 million records have been breached so far this year. Of those breached records, more than 120 million of them – or 68.1 percent – have come from the health care sector, making it by far the most-breached industry in terms of number of compromised documents. The incidents are wide-ranging, and include health care organizations of all sizes and types, from local hospitals to massive insurance providers. The common denominator between all the breached institutions is that their networks are far more vulnerable than they should be. While many health care-based breaches involve accidental information exposure, there are plenty of malicious incidents as well. Here are some recent notable examples:
- Owensboro Health Muhlenberg, LLC: In mid-November, OH Muhlenberg, LLC revealed that its hospital located in Kentucky had fallen victim to suspicious network activity that placed data for almost 85,000 individuals at risk. But it wasn't employees from the hospital who first learned about the malicious activity – it was the FBI, which in September reached out to Owensboro about the presence of suspicious activity. As it turns out, the activity was by no means recent: Instead, it was revealed that the malicious intrusion may have dated back as far as the beginning of 2012.
After learning from the FBI about its situation, the hospital's leaders conducted an internal investigation into the nature of the cyber criminal activity. As they found out, the threat that had attacked the network was a keystroke logger, which registers and relays keystroke data to malicious third parties. This attack method can be effective for cyber criminals looking to remain under the radar and conduct a long and drawn-out attack, as evidenced by the more than three-and-a-half year campaign against Muhlenberg Community Hospital.
It's worth noting, however, that although Owensboro Health Muhlenberg, LLC was the owner of Muhlenberg Community Hospital at the time the breach was discovered, Owensboro had only acquired the hospital in July 2015, and therefore hadn't been present for the beginning of the malicious intrusion or the vast majority of the time that it was present on the hospital's network. While this would seem to bode well for OH Muhlenberg, LLC, what it really seems to illuminate is the need for a business like OH Muhlenberg to run more comprehensive threat-based network analyses of any organizations they're acquiring – and this goes for any organization onboarding a newly purchased business.
- Huntington Medical Research Institutes: Unfortunately, cyber threats don't only come externally – they can also come from within an organization. This was a lesson that the California-based Huntington Medical Research Institutes had to learn the hard way when it dealt with a breach that was tied to a former employee. According to a notice put out by HMRI on October 20, the organization revealed that in August, an ex-employee had possible stolen electronic health data belonging to patients of HMRI.
"HMRI believes this former employee took this information around the time of the former employee's departure on July 31, 2015," the notice stated. "HMRI continues to investigate this incident and seek return of all HMRI patient health information. At this time, HMRI has no reason to believe this information has been or will be misused."
Nevertheless, that message perhaps didn't come as much of a comfort to compromised individuals, considering that the vulnerable data included clinical information such as diagnoses and ordered tests — highly privileged data that nobody would want to fall into the wrong hands. While HMRI stated that part of its response to the incident would be to bolster its data protection, one wonders why those standards weren't in place to begin with, before the former employee put patients' very private data at risk.
Why so many health care attacks?
The reason for the number of health care hacks – as well as the sheer volume of compromised data within the sector – isn't hard to pinpoint: As Forrester analyst Stephanie Balaouras puts it, health care is "woefully behind" in terms of cyber preparedness. In the second part of this piece, we'll look into why that is – and what health care organizations can do to establish better cyber security practices.
Health care security requires a sustained commitment to cyber security, which can happen via the deployment of tools that protect against targeted attacks.