While recent ransomware attacks against healthcare facilities have grabbed headlines, good old-fashioned data theft continues to plague healthcare organizations. In fact, research from the Ponemon Institute and ID experts revealed that nearly 90 percent of healthcare organizations have had at least one data breach in the past two years, costing those victims more than $6 billion in total.
The study also found that half of all data breaches were the result of a criminal attack and 13 percent were caused by malicious insiders. Of course, inadvertent insider mistakes continue to be a major source of breaches as well.
Business associates also pose an increasing risk to healthcare organizations, with 41 percent of healthcare organizations blaming outsiders for causing their data breaches.
Bon Secours breach
A recent example of the risks posed by external third parties is the breach of patient data at Bon Secours, a not-for-profit Catholic healthcare system that operates 19 acute-care hospitals, five nursing care facilities, four assisted-living facilities, 14 home care and hospice services, and other facilities on the East Coast.
Bon Secours admitted last month that personal information on more than 650,000 of its patients was exposed on the internet for four days in April by business associate R-C Healthcare Management, the Richmond Times-Dispatch reported. Arizona-based R-C Healthcare Management provided data management to Bon Secours. The patient information disclosed included names, Social Security numbers, health insurance ID numbers and some clinical information. Bon Secours stressed that it “has no knowledge that the information contained within the files has been misused in any way.” Of course, lack of knowledge doesn’t necessarily mean that the hackers aren’t actually using the information for criminal activity. And this lack of immediate evidence of wrongdoing highlights the unique risks of data breaches at healthcare organizations.
When personal financial information is stolen, fraudulent charges on credit and debit cards begin to appear almost immediately after the data breach has occurred. This is not the case with stolen medical information. Stolen medical data could be used in many nefarious ways that are not easily traceable, such as creating fake medical IDs to buy drugs or filing fake medical claims with insurers. These activities could occur for years with no one realizing the fraud.
As a result, medical information is much more valuable on the cyber underground, where stolen health records can fetch 10 to 20 times the price of stolen credit card information, estimated Don Jackson, director of threat intelligence at the cybersecurity firm PhishLabs. In addition to these worrisome trends, there are disconcerting privacy aspects of health data fraud.
Hefty federal fines for patient data breaches
Federal regulators have taken notice of the recent increase in patient data breaches, and they are levying fines against healthcare organizations and business associates for sloppy IT security. Just last month, the Department of Health and Human Services’ Office of Civil Rights (OCR) levied its largest fine ever against a single healthcare entity — $5.55 million against Advocate Health Care Network for three patient data breaches that affected around four million individuals.
“We hope this settlement sends a strong message to covered entities that they must engage in comprehensive risk analysis and risk management to ensure that individuals’ ePHI [electronic protected health information] is secure,” said OCR Director Jocelyn Samuels. “This includes implementing physical, technical and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level,” she added.
Since last November, the office has levied more than $16 million in fines for patient data breaches, according to CNBC.
Three-step process to security
Healthcare organizations today have many security pain points. Besides the threats of breaches and ransomware, they have wide-ranging compliance requirements for standards such as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS), as well as their own security policies—all designed to protect their organization’s sensitive clinical and payment data.
One important aspect of meeting regulatory and internal audit compliance while preventing future breaches is to maintain a secure network. Healthy network security is a three-step process consisting of proper network segmentation, proactive risk assessment and security policy compliance. This process can be hampered by the complexity of today’s enterprise networks, but the need to prevent unauthorized access remains. Network security policy orchestration and automation can streamline network security and eliminate some of the more manual aspects of network management, which lead to the misconfigurations that increase a company’s overall attack surface and can expose sensitive data.
Understanding the nature and severity of threats is a start, but being able to proactively identify the outcomes of making a change to the network is a necessity to prevent breaches.
Ellen Fischl-Bodner focuses on cybersecurity at Tufin where she is the product marketing management subject matter expert on network security policy orchestration, compliance and solutions for industries such as healthcare and energy. She also blogs and presents webinars on hot topics in cybersecurity. Ellen is enthusiastic about innovation and has enjoyed key roles and publications that brought medical breakthroughs to mainstream adoption. Feel free to connect with Ellen on LinkedIn.