Criminal Attacks Targeting Healthcare Industry Increase 100 Percent Since 2010
While somewhat less sensational than a breach of the entertainment industry, yet devastating all the same, criminal attacks on the healthcare industry have all but skyrocketed over the past few years.
The Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy & Data Security (PDF) found that healthcare-targeted criminal attacks have increased 100 percent since 2010. Forty-percent of healthcare organizations reported criminal attacks compared to 20 percent reported four years ago.
What’s up with that? The usual suspects are attributed - growing healthcare employee use of personal devices (BYOD) and increased reliance on cloud services for file-sharing, collaboration, backup and storage.
But another part of the security equation often overlooked is the important role that business associates play in ensuring patient data privacy. These third-party vendors often have access to electronic protected health information (ePHI) to complete tasks like payroll, HR, data processing and more.
Yet, they often aren’t yet in compliance with the HIPAA Final Omnibus Rule that requires business associates to meet security standards already in place for primary healthcare organizations like hospitals, healthcare systems, independent physicians and more. As the Dept. of Health and Human Services (HHS) stated, some of the largest breaches reported to them have involved business associates. Another $4.3 million fine was slapped on the Cignet Health Center in October 2010.
The top three types of business associates that pose the most risk, according to respondents, include IT service providers (75 percent), claims processor (47 percent) and benefits management vendors (33 percent). IT service providers are unsurprisingly considered the riskiest player in the security game as they hold the (often privileged) keys to a healthcare organization’s entire IT environment, allowing them access to patient data and other sensitive healthcare documents.
The study reveals that the majority (73 percent) of healthcare organizations are either somewhat or not at all confident that their business associates are even capable of detecting a data breach, in addition to performing an incident risk assessment and notifying their organization in the event of a data breach (a stipulation required by law in the standard contractual business associate agreement).
Another problem the Ponemon Institute identified was the fact that healthcare organizations often rely more on policies and procedures than the actual technology, budget and resources needed to secure sensitive information and meet HIPAA compliance. While 55 percent of respondents said their policies and procedures are put in place to detect or prevent unauthorized data access, loss or theft; if the technology and personnel aren’t in place, then it’s unlikely security will be actualized.
The study also found that less than half (46 percent) of organizations have personnel that are aware of and understand HITECH and state data breach notification laws, which can make it pretty difficult to meet compliance, let alone actually secure patient data.
One interesting concept introduced by TechnologyReview.com is that “hackers now have almost a big-data mentality,” as they collect massive amounts of different types of data in attempts to draw correlations between disparate sets of stolen data in order to create complete profiles of individuals. That means your credit card and banking information combined with your medical identity and your personal information (address and Social Security numbers) are being pieced together to inform criminals on how to best exploit your data.
What type of data is stolen most frequently from healthcare organizations? Unsurprisingly, billing and insurance records and medical files are the most likely to be lost or stolen. Armed with your health insurance information, a criminal is more likely to turn a profit to either exploit or sell your data to individuals that intend to commit medical identity fraud - meaning, seek out healthcare services under your insurance, and then send the bill to your providers.
For more on healthcare IT security, check out:
Remote Access Attacks & Threat Actor Profiling: Sign of the InfoSec Times
Securing E-Prescription Applications & Identity-Proofing
Lack of Third-Party Security, Multifactor Authentication Lead to Medical ID Theft