Healthcare at Risk: Medical Identity Theft, Phishing and Criminal Attacks Increase
According to the Ponemon Institute’s latest healthcare data security report, medical identity theft has almost doubled in the past five years, increasing from 1.4 million to over 2.3 million in 2014. The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data found that criminal attacks on healthcare organizations have jumped 125 percent compared to five years ago, accounting for 45 percent of healthcare data breaches.
As criminal attacks and medical identity theft increase, so do the costs. Data breaches could be costing the healthcare industry $6 billion, an estimation based on the survey results, while the average cost of a healthcare data breach is estimated to be more than $2.1 million.
Most of the healthcare security incidents involved lost or stolen devices (96 percent), while spear phishing was also high on the list, at 88 percent). “Web-borne” malware attacks were involved in 78 percent of attacks, which I assume just means ‘online.’ I’m always amazed the new vernacular used to describe the same thing, but in this case, perhaps Ponemon was trying to relate to the medical industry (web-borne = air-borne)? The virus analogy is not lost.
When it comes to being prepared for a security incident, less than half (49 percent) of healthcare organizations agree that they have sufficient technologies in place, while only 33 percent believe they have sufficient resources to prevent or quickly detect a data breach.
A separate report from last year, Finding a Cure for Medical Identity Theft, found that 80 percent of healthcare organizations use firewall, antivirus and strict passwords. Only 32 percent are using multi-factor authentication.
When it comes to healthcare organizations’ business associates, 95 percent say they’ve had a security incident involving lost or stolen devices, while another 90 percent involved spear phishing. This shows that it’s not only healthcare organizations that are targeted by the same type of attacks, and that those vendors that support the industry - like accounting firms, healthcare attorneys, medical transcriptionists, benefits management companies, etc. - must also be vigilant about security.
And these business associates are also feeling short on funding and resources necessary to meet information technology, security and compliance needs. Nearly 60 percent of respondents say they need more funding and resources in order to make their formal incident response plan effective in the event of a security incident.
Unsurprisingly, medical files and billing and insurance records were the most targeted type of patient data in security incidents, as they contain the most valuable patient data. Payment, scheduling and prescription details are also targeted.
The report also identified some security incidents linked to technology adoption trends, such as the use of cloud services (up 8 percent), mobile device insecurity (up 8 percent), and threats to employee-owned mobile devices or BYOD (up 5 percent).
Part of the reason why cloud and mobile security incidents are on the rise may be due to the fact that it’s hard to have complete visibility and control, particularly with the number of cloud services and mobile devices rising. Personal devices are hard to keep track of, as they’re largely unregulated, and may be jailbroken or be running outdated OS versions.
A two-factor authentication solution that also gives you visibility into your users, applications, networks and devices is one way to get it all under control. Learn more about Duo Access, which lets you see data about devices that authenticate to your applications, such as whether or not the device has a lock screen passcode. With the data, you can create custom controls and policies to keep risk at bay, including blocking logins from anonymous networks, or from countries you don’t do business in.