Why are Healthcare Organizations Targeted for Cyber Attacks?
It may be common knowledge that healthcare organizations are often targeted by hackers, but people may not always know why that is. The short answer is that healthcare organizations are targeted because the information stolen from them can be sold through cybercriminals at a higher dollar value than most other forms of data.
Targeting of Healthcare Organizations
The real key to why healthcare organizations are targeted more than other types of companies is that the information that they possess is much more valuable on the black market. Protected Health Information, or PHI, is the information that is found in a person’s health record and could be used to identify them. This could be anything from their full name, address, social security number, medical record number or any other form of PHI.
Healthcare records containing PHI are one of the most valuable and sought after types of information that hackers look for which leads to them having a higher selling price on the dark web. There are three key reasons that medical records and PHI is so valuable to cybercriminals - the higher selling price, the long shelf life and the multiple uses for the same form of data.
Why are Healthcare Records so Valuable?
According to the 2018 Trustwave Global Security Report, a person’s healthcare record can be sold for $250.15 versus a single social security number would only receive $0.53 in comparison. Healthcare records are known to have a long shelf life when sold, because unlike a credit card, those affected are unlikely to realize that this has happened quickly, and therefore the information can be spread and sold further before detection.
Beyond just the high selling prices on the dark web, health records can also be used for multiple purposes by the purchasers as they could purchase prescriptions, receive treatment or even make false medical claims using this stolen record.
Each of these actions could have significant costly effects on the patient whose information is taken but also on the healthcare industry more broadly. Now we can see the ways in which PHI is valuable on the dark-web but we must also keep in mind that a patient’s information is even more valuable to them and the provider that they have trusted to protect it. This should remind healthcare providers that their susceptibility to cyber attacks makes their dedication to cybersecurity and HIPAA compliance all the more important.
CyberSecurity in Healthcare
Increasing Number of Attacks
As the years have passed and more and more of the operations of the healthcare industry have moved to an digital format, the number of breached healthcare records has trended up right alongside. Each year Verizon releases data breach reports that tell the story of that year's worth of breaches that have occurred. Between the 2016 and 2019 reports, the number of data incidents and breaches increased by 200%.
The recent 2020 report shows that these numbers have continued to grow, now revealing a 71% increase in the number of breaches this year. With many of the challenges with COVID-19 and a work-from-home environment, organizations need to be more aware than ever that the PHI they are responsible for is completely secure and protected.
Data Security and COVID-19
Especially in the middle of a nationwide healthcare crisis, healthcare organizations are at an even higher risk than typically. While healthcare providers are working overtime to take care of COVID-19 patients, some of their attention may be taken away from PHI security. Since the beginning of the pandemic, the FBI has reported about 2,000-3,000 more cybersecurity complaints each day from the typical 1,000 a day.
Many of the increased cybersecurity attacks can be explained by the hackers desire to gain information about COVID-19 related information and use these vulnerabilities to do so. It is fairly typical that any monumental event within a country would spur on a spike in cyber attacks as it has happened in the past with other events, and is happening again with COVID-19. This crisis in particular has moved most of the workforce to remote work which has presented a whole new set of challenges to staying HIPAA compliant in a work-from-home environment.
The Future of Cybersecurity
Year over year we have seen the number of cybersecurity attacks on healthcare organizations continue to increase, and there is no sign that this increase will slow down. Hackers have not only increased their attacks, but they have regularly reinvented the methods with which they infiltrate the organizations, which we can see through the increasing commonality of phishing scam emails. It is vital that healthcare providers have the necessary policies, training and technology in place in order to comply with related data security laws while ensuring that all of this important information is well protected.
How to Protect Yourself from These Attacks
Now that healthcare organizations understand the reasoning behind the target on their back from hackers and cybercriminals, it is important for these providers to also know how they can prevent the attack. The key for health organizations is their understanding of and compliance with HIPAA, or the Health Insurance Portability and Accountability Act of 1996. HIPAA is the legislation that lays out the physical, technical and administrative safeguards that organizations must follow in order to ensure that PHI is kept safe from attacks. These safeguards, which you can read about here, mandate that organizations take certain steps like implementing workforce training and management, limiting access to facilities or devices that contain PHI and requiring all data to be carefully encrypted.
Due to the high value of PHI data, healthcare organizations should regularly assess the steps that they are taking to ensure the security of PHI. Although a breach of information is not entirely avoidable, it is important that a healthcare provider takes all the steps possible to lessen the risk and comply with all aspects of HIPAA. For more information on how to understand the risks associated with storing, sharing and maintaining PHI and what steps need to be taken to reach HIPAA compliance, feel free to ask Accountable, your simple HIPAA compliance software solution provider.