From late 2009 to 2017 there were healthcare industry data breaches that exposed the health information of more than 155 million Americans. According to a study from the Brookings Institution, a quarter of hacking attempts are focused on healthcare, due largely to the monetary value of selling this information on the black market.
The vehicle for many of these hacking attempts is through “cyber-crime-as-a-service,” where malware is pre-bundled together into an exploit kit. This prepackaged format means criminals with limited tech experience can successfully carry out attacks and breach a healthcare provider’s defenses with minimal effort. Organized crime elements are behind many of these breaches and often use an “insider” to steal records.
Despite the risks and the relative ease of initiating an attack, many healthcare organizations do not have the most advanced security measures in place. In some instances, there are unintended consequences from other regulatory measures that help put data at risk. For example, the push towards electronic health records (EHR) increased data access but some organizations were not ready for the security side of managing all of that digitized information. Most healthcare organizations are also not using monitoring solutions – so they don’t know when breaches occur.
Internal and External Threats
Hackers are “in it for the money” so they often target healthcare records because they fetch an attractive price on the open market. These types of records are also easier to obtain. Besides sophisticated criminals, another source of healthcare breaches is internal staff members. For example, a front desk employee at a large hospital group might access someone’s health records as a favor for a friend. Their intent is not to sell the information, but it represents a breach nonetheless. In either this example or a hacking incident, there is typically not visibility into the problem, so the organization does not learn about the breach until weeks or months later.