Considering the number of patient records stolen has increased over 6x since 2017, the answer to that question is uncomfortably clear. In this short article, I’ll unpack this topic and also cover the drivers behind the increase we’re seeing in healthcare data breaches.
The Bad, The Ugly
Considering the number of patient records stolen has increased over 6x since 2017, the answer to that question is uncomfortably clear. In this short article, I’ll unpack this topic and also cover the drivers behind the increase we’re seeing in healthcare data breaches.
Considering the number of patient records stolen has increased over 6x since 2017, the answer to that question is uncomfortably clear. In this short article, I’ll unpack this topic and also cover the drivers behind the increase we’re seeing in healthcare data breaches.
There has been at least one health data breach a day since 2016, and already 285 breaches reported between January and June 2019. (2)
What’s Driving Cyber Criminals?
A patient’s healthcare record sells for $1000 on the Dark Web, compared to $110 for full credit card data and $1 for a Social Security Number. (3)
The reason for this is that cyber criminals have figured out they can steal much more with a person’s healthcare information. Here are a few examples driving patient record theft:
- Filing fraudulent insurance claims
- Fake medical prescriptions for drugs and devices
- Getting treatment under a false identity
And, unlike credit ca
Security is Still Largely a People Problem
While cyber criminals are upping their attacks in healthcare, it’s important to remember that insiders are nearly as big of a threat as cyber criminals. According to a study by the US Department of Health and Human Services, 42% of the breaches occurring between 2009 and 2017 resulted from current or former employees (4). Most insider breaches are unintentional but the resulting damage can still be significant. Some examples of unintentional data breaches in healthcare:
- Sending or saving sensitive data externally to a personal account
- Email containing sensitive data sent to the wrong person within one’s own organization
- Clicking and dragging sensitive files to a public / shared server by accident
- Posting sensitive data in collaboration tools such as Slack, Trello, or GitHub
Theft or loss of PC/laptop or media storage equipment containing sensitive data
Security requires a combination of technology, processes and people. Security experts agree people are often the weakest link. More companies are making security awareness training part of their a
Heads-up! HIPAA has Grown Teeth
The Healthcare Insurance Portability and Accountability Act (HIPAA) has been around since the mid 90s with one objective being to set expectations and requirements for healthcare organizations to implement controls to secure patient data. Up until a few years ago, the fines HIPAA settled for violating its security and privacy standards often amounted to little more than a slap on the wrist.
But things changed in 2015 following the widely publicized Anthem data breach. The average HIPAA penalty is now $2.5M, a 250% increase since 2015, and total annual penalties approached $30M in 2018. (5) The launch of the General Data Protection Regulation (GDPR) in May 2018 has helped raise the awareness of data privacy and expectations for penalties. GDPR fines totaled €56M, or $63M, in its first year which some believe has sparked HIPAA to step up its fines. If the reputation/brand damage and loss of customer trust was not enough motivation for leadership to take notice of their security vulnerabilities previously, maybe the increased fines will attract the attention data protection deserves.
Summing it Up
Here are some key takeaways:
- The number of patient healthcare breaches is growing at an alarming rate and puts the entire digital health ecosystem at risk.
- Partners are often severely damaged in a breach. Choose your partners wisely and make sure they have a security program to protect sensitive data you share with them.
- Stolen healthcare data is now 10-20x more valuable than credit card data sold on the Dark Web.
- Untrained, unaware employees are nearly as big of a threat as hackers and malware.
- Regulatory fines have grown substantially and are even more reason for leadership to step up their data protection initiatives.
#creoculture #securityadvantaged #justdogreatwork
Sources
- https://healthitsecurity.com/news/the-10-biggest-healthcare-data-breaches-of-2019-so-far
- https://www.healthcaredive.com/news/data-breaches-in-2019-already-double-all-of-last-year/560059/
- https://www.beckershospitalreview.com/cybersecurity/patient-medical-records-sell-for-1k-on-dark-web.html
- https://www.reuters.com/article/us-health-data-breaches/hackers-are-not-main-cause-of-health-data-breaches-idUSKCN1NO2HA
- https://www.hipaajournal.com/healthcare-data-breach-statistics/
