Skip navigation
industry news

The Year of the Healthcare Hack: 98% of Stolen Medical Records Due to Hacking

One in three Americans were affected by a healthcare breach last year, according to a report released by Bitglass, Healthcare Breach Report 2016. That’s a major increase from 12.6 million people in 2014 to 113 million in 2015.

Last year, most lost medical records were due to large-scale breaches attributed to hacking or an IT incident (98 percent), according to A Redspin report on healthcare breaches last year dubs it “The Year of the Hack,” as 9 of the top 10 incidents were the result of hacking attacks and IT incidents.

That fact was proven after an analysis revealed the top three largest healthcare data breaches were discovered in 2015:

  • Anthem, a health plan provider, was compromised and exposed medical records for 78.8 million customers
  • Premera Blue Cross discovered an intrusion into its network that resulted in the breach of financial and medical records of 11 million customers
  • Excellus Health Plan found out that hackers accessed 10 million personal records, including financial data, nearly two years ago

These large healthcare breaches account for some of the statistics found in the report. The report’s analysis of reported healthcare breaches found that hacking or IT incident-related breaches had increased 31 percent in 2015 from the year prior.

When sensitive data like Social Security numbers and medical claims information is stolen, it’s even harder to remediate, as it’s much harder to get a new SSN or change your medical records. That kind of identifying information can be used for fraudulent purposes indefinitely.

Pervasive Security Problems at Hospitals

There appears to be a lack of knowledge or understanding of the importance of information security practices at healthcare organizations, as Johns Hopkins professor Avi Rubin revealed in a talk, Hacking Health: Security in Healthcare IT Systems at the 2016 USENIX Enigma infosec conference.

During an IT tour of hospitals and their systems, Rubin found a lot of security problems. In one hospital, they had 8k employees - and every single employee had the same access to all of the medical records in the system as the other employees. This is problematic because the greater the number of users with full permissions and access to sensitive data, the greater the risk of a massive data breach if an attacker got access to just one set of credentials.

In a radiology department, he found that a nurse was assigned to typing in passwords into computers to avoid the time limit that would log doctors out of the system. The hospital was effectively bypassing the security measures of lockouts and keeping doctors continuously logged in, even if they weren’t at their workstations.

One doctor worked from home when he was working on medical records and not seeing patients. He accessed the system via VPN with his home computer, but it was also used by his children to play games and browse the Internet as well, which can present an issue if the computer is exposed to malware and then accesses a sensitive hospital system.

Security Solutions to Avoid A Healthcare Data Breach

On the user side, training employees on how to spot a phishing attack can help reduce the risks of a healthcare breach. Many of the breaches were the result of an employee fooled into giving their username and password away to an attacker via phishing emails.

In the case of the Anthem breach, malicious hackers had stolen the credentials of five different employees, likely via phishing attempts. An Anthem computer system administrator found that attackers logged into the company’s system using his username and password and were running data queries.

For some quick phish-free tips, check out State of the Phish: Protecting Against Increasing Phishing Attacks.

Another way to protect users’ accounts is by deploying two-factor authentication on every account in your organization - not just administrators. Many IT teams think that they’re covered if they protect only privileged users, but many malicious hackers target HR, marketing, sales, and even contractors that may typically be overlooked when it comes to security threats.

Attackers can move laterally within a network once they gain a foothold with a pair of credentials of a user with lesser privileges, finding their way to sensitive data. That’s why it’s critical to protect every single user with access to your company’s applications, networks and systems, not just the privileged.

On the admin side, using an endpoint security solution that collects, analyzes and detects vulnerable devices that connect to your healthcare network can help you identify any potential threats to your company.

Logging user behavior and authentication attempts can help admins detect when something is amiss. For example, if a user logs into your network from China or an anonymous network like Tor, you can track and block these attempts if they’re flagged as unusual.

Learn more about security in the healthcare industry by downloading Duo Security's Guide to Securing Patient Data.