In the first part of this article, we introduced the problem of cyber security vulnerabilities within the health care sector – a pervasive problem that's impacting health care providers of all sizes and types. This year alone, there have been more than 120 million health care records breached so far, and that number will only climb before the new year arrives. Once 2016 rolls around, we'll look back on 2015 as a year that was decidedly damaging to the health care arena, which according to the Identity Theft Resource Center has experienced significantly more records getting compromised than any other industrial sector.
It's not difficult to grasp why health care enterprises are such a high-value and commonly targeted victim for cyber criminals. Just consider your own health care data that's on file with your doctors and other health care providers. Is that the kind of information you'd want to fall into outside hands? Of course not. For all of us, our personal health information is highly privileged data. But the more privileged something is, the more hackers want to get their hands on it, which explains why hospital hacks so consistently crop up in the news.
In the previous part of this article, we discussed two major breaches involving health organizations. One of these incidents centered around Owensboro Health Muhlenberg, LLC, which had to cope with an incident that involved suspicious network activity. Another breach event occurred at Huntington Medical Research Institutes, where 4,300 patients were determined to have been impacted in a breach that targeted not only names and demographic data, but also extremely private information like treatment and diagnosis issues.
Huntington and Owensboro are hardly unique situations when it comes to health care and cyber security. In fact, the list of breaches goes on and on, as ITRC data notes. Here are some other health care breach events worth noting:
- Aspire Home Care & Hospice: This organization reported a breach in October which involved an attacker who was able to worm his or her way into email accounts associated with the enterprise. As a result of this, the 4,500 individuals whose data was compromised were told that because their Social Security numbers and insurance data had been among the personal info hacked, they were at a significantly elevated susceptibility to identity-based thefts.
- Oakland Family Services: This Michigan-based health care organization was hit by one of the most frequently deployed hacking types out there: a phishing intrusion. The attack – which led to more than 16,100 records being exposed – was fortunately discovered on the same day that it occurred. In this way, Oakland Family Services is fortunate, since a lot of the time health care organizations – and all attacked businesses, for that matter – won't detect a breach until long after the fact, which means that the hackers behind it have even more time to carry out there malicious work and make off with any privileged information that they desire.
- Excellus BlueCross BlueShield: It's not just the smaller practices like Oakland Family Services that find themselves under attack by cyber criminals. Hackers also set their sights on much larger targets like Excellus BlueCross BlueShield, which experienced a hack that caused a potential 10 million records to be compromised. Given the sheer size of that number, it's no surprise that the business – in addition to having to deal with breach recovery efforts – is confronting a host of lawsuits which could take a long time to play out. The inevitably lengthy recovery for Excellus BlueCross BlueShield isn't unique – for any organization that suffers an attack on patron data, that is also seen as an attack on patron trust. Recovery – if it happens successfully – is therefore bound to take a long time.
The fact that private health records present appealing data to cyber criminals only partially explains why there have been and continue to be so many health care-targeted cyber attacks. The other, more significant reason, is that, on the whole, the health care sector is extremely behind the times in terms of network security. As hospital breaches stack up, it's now clearer than ever that that lack of preparedness has to change.
Reasons the health care industry is behind
"Woefully behind." That's how Forrester analyst Stephanie Balaouras describes the state of health care cyber security. That characterization certainly isn't good for the industry as a whole, since it implies what a long way the health care arena has to go before it attains a suitable level of security. But how did it come about that health care became so behind? The lack of preparedness that's a trend across the entire sector can be chalked up to several overarching factors:
- Perceived cost issues: When you think about organizations that have a lot of spare change to throw around, health care enterprises certainly aren't the first that come to mind. And as IBA Magazine points out, perceived issues in being able to pay for robust security is one of the key barriers between health care organizations and better network preparedness. The ironic issue here, though, is that the toll that health care breaches have taken is absolutely massive – around $6 billion across the industry per year. With a number like that, there's no denying that not securing networks is a financially detrimental decision, particularly considering that roughly nine out of 10 U.S. health care businesses have been hit by a breach just since 2013.
That said, there is a legitimate issue that health care businesses need to be concerned about with regard to a lack of capacity among insurers. As cyber insurance broker Jack Elliott-Frey told IBA Magazine, "[The healthcare industry] is prone to damaging losses if personal health information and payment details are exposed. There is a lack of capacity here as insurers are less inclined to underwrite organizations with large amounts of patient data."
- A focus on other elements of day-to-day business: Nobody would accuse the typical health care provider of doing too little on a daily basis. On the contrary, health care organizations are always bustling with important activity, from patient consultations to medical research to life-saving services like surgery. And to add on to all of this, health care practices of late have been swamped with new and promising industry technology in the form of intelligent tech. These smart devices – whether they be a smart heart monitor or something else – hold significant potential for how health care business happens in this day and age.
But the growth of intelligent technology like smart health monitors seems to be occupying all of health care providers' time – the time, that is, that's not devoted to the crucial work of attending to patients and research. With workplace strides like this taking place, it can be quite easy for an issue like network security to get sidelined, and that's exactly what's happening with health care. Thus, what tends to happen is that a health care provider will maintain a relatively lax attitude toward cyber security up until the moment it experiences a breach, and only then will it spring into action. Of course, this too-late approach does little to alleviate the frustration and mistrust of patients who may have had their data compromised. Though right now is an exciting moment for medical tech, it's important that attention to that technology doesn't come at the expense of hospitals giving the needed focus to network security – which, after all, only becomes more vulnerable as smart tech advances.
What health care can do to improve cyber health
All health care organizations need to take a careful look at their approach to cyber security and decide if they are where they need to be in that regard. Most likely, though, a careful examination of any health care provider's network will reveal certain things that need to be improved upon. Therefore, one of the best steps health care enterprises can take is to leverage a specially-tailored solution that is built to meet the needs of the industry and provide cutting-edge service. As a health care business looking for such a solution, you'll want to make sure you find something that offers not only breach detection and data loss prevention tools, but also addresses compliance. After all, health care enterprises don't only need to worry about PCI DSS 3.0, but also HIPAA compliance as well. A well-crafted solution is one that meets – and exceeds – these standards.