As you might imagine, the healthcare industry is a prime target for cybercriminals. In fact, healthcare accounted for 76.59% of all data security breaches in the past five years. The average cost of a data breach is $3.86 million.
Hackers are getting more sophisticated, using malware, phishing attacks, ransomware, and other tactics to steal patient information. Notable high-profile security breaches in recent years include Anthem Blue Cross, Premera Blue Cross, and CareFirst BlueCross. In addition, breaches are on the rise. In 2020 alone, 28,756,445 patient records were exposed in security breaches, making it the third worst year for healthcare security breaches on record. What does this mean for you, and what should you do? What about working with 3rd party vendors and how their security standards impact our health system?
What is a Breach?
To the general public, when you hear the phrase, security breach, alarm bells go off. Am I at risk? What data has been exposed? Is my money secure and what do I need to do to make sure I am safe? How many passwords am I going to have to reset (and remember)!? Where do I start? It is normal to feel completely helpless and lost. Data privacy is a great cause for concern because a breach can include several root causes, some malicious and some not. A data breach is not always cause for alarm to the individual, however. According to Alvarez Technology Group, “malicious or criminal attacks caused the most data breaches at 48 percent (for a single group). 27 percent were due to human error, and 25 percent were comprised of both IT and business process failures (system glitches).”
For the organization handling the data, it is a completely different story. A potential breach is a security issue every CIO and security team must prepare for, as root causes typically fall in their wheelhouse. Furthermore, the cost implications and downtime wreak havoc on the hospital's day-to-day activities, no matter what the cause. Meet Access CIO Scott Fuller, former CIO at Doctors Hospital at Renaissance, and the driving force behind why Access eForms now has the highest security standards among our peers. According Fuller,
“The first reaction of a leader after a security breach has been discovered is to communicate. This might seem contrary to some impulses to sweep it under the rug or feeling ashamed that the breach occurred. The reality we all live in is that it is no longer IF a company suffers a security breach, it is a matter of WHEN. Your quick to communicate reaction will be appreciated by your peers and customers alike.”
In a study by the Ponemon Institute, which examined the effects of data breaches on 477 different companies, a proactive approach and preparedness significantly improved the outcome of a data breach, resulting in less time for discovery and increased security. In fact, the study shows that these efforts could lead to decreased costs--from $148 per compromised record by as much as $14. The end result is better protection against cyber-attacks and increased efficiency.
Nearly half of all healthcare breaches are without malicious intent; however, all data breaches must be treated with the same care regardless of the nature. In NCBI’s publication, Healthcare Data Breaches: Insights and Implications, a healthcare security breach is generally defined as, “an illegitimate access or disclosure of the protected health information that compromises the privacy and security of it.” Thought HHS, HIPAA, and other organizations have slightly different definitions, they all share the same sentiment.
Data breaches are a major concern for companies, and they can happen in two different ways. Internal data breaches result from an internal member of the company who abuses their privileges or mishandles sensitive information. External data breaches occur when someone outside the organization gains access to confidential material that was not shared with them. These incidents include ransomware attacks, phishing, malware, spyware, or fraud in the form of stolen cards.
Data shows that Healthcare Organizations need to be proactive now, more than ever. The number of hacking incidents reported every year in the last four years alone has increased by almost 20% from 2016 to 2019. Out of the 850 security breaches, 692 were found in just 4 years. More than three-quarters (81%) have been detected since then, with 32% of them in 2019.
According to TechRepublic, the highest cyber security risks and the percentage of healthcare organizations affected by each one are:
- Malicious network traffic: 72%
- Phishing: 56%
- Vulnerable OS (high risk) 48%
- Man-in-the-middle attack: 16%
- Malware: 8%
Where are the breaches happening? You Might Be Surprised.
Paper, films, and files accounted for the highest number of incident locations by a thin margin. NCBI, “saw 575 breached incidents out of a total of 3253 incidents, accounting for 17.67% of the total number of episodes during 2010 to 2019. The leading position of Paper/Films is because of the improper disposal of unnecessary but sensitive healthcare data.”
In spite of the common perception that digital avenues like EMRs are easily hacked and vulnerable, there were only 195 instances where anyone was able to break in during the time period, accounting for only 5.99% of the total 3,253 incidents.
The use of smart devices and a lack of security software on database servers caused the number incidents involving email and network servers to increase in 2019. Studies show that outdated security software, weak or no passwords for email accounts, as well as having an unprotected database are all reasons why these breaches occur.
Let's Illuminate some High-profile Cybersecurity Threats with the Top 10 Breaches According to HHS Breach Portal Data
Conclusion - The World is Your Case Study
You might already know it, but just in case you don't: the one thing that would ruin everything is a cyber-attack on a hospital. Hackers are always looking for ways to infiltrate and steal medical data so they can sell our private information, or worse yet, create new ransomware viruses with severe consequences like locking down all vital equipment until we pay them off in Bitcoin. It's an act of terrorism against those most vulnerable within society.
For healthcare leaders, the silver lining in all this is the ability to gain insight on how hospitals have already handled these security breaches so that you are prepared to take the best action in protecting your own Healthcare system. Cybersecurity is like a game of chess. It's important to be one step ahead and have contingencies in place for when something happens, which it will eventually. If your organization becomes the next target by cyber attackers or data breaches, are you ready? What about the vendors that you work with? Are they secure? What is their Security Audit Score, and if it’s low, is it worth risking your patient data for a 3rd party vendor? Access eForms generated audits of our closest adversaries in the eSignature space and we were shocked to see that high standards for security were not in place, leaving hospitals more venerable to attacks so we encourage you to take a look at your current vendors and start a conversation about their security standards.
According to Scott Fuller, who you’ll hear more from during our next blogs in this series, “Security evaluations of 3rd party vendors is no longer limited to HiTrust requirements. Everyone needs to consider the security posture of their vendors to understand what risks they might be bringing to the table.”
Access eSignature is not a security company, but we put our security standards above all.
If you’d like to see the security scorecard for your vendors, we’ll be happy to send you a personalized report. Hop over to the Security Reports section of our site which you can find HERE and we'll send you the customized report.