A recent study from the Brookings Institution found one in four hacking attempts will focus on the healthcare industry. The study’s findings reflect the scale of these breaches, with it noting since late 2009 that the health information of more than 155 million Americans was exploited through a security breach. These records are valuable because they provide a fairly complete picture of a person, with Social Security numbers, addresses, health data, and sometimes even payment methods.
Much of this hacking comes through “cyber-crime-as-a-service”, where criminals can purchase the tools to conduct malware attacks. For example, they can buy exploit kits where malware is packaged in a usable form, allowing individuals with minimal technical expertise to carry out damaging breaches and ransomware attacks. Organized crime groups are behind many of these incidents, where they use malware or someone on the “inside” to steal records and sell them for upwards of $50 each.
Unfortunately, many companies in the healthcare sector are susceptible to breaches. For example, with the regulations pushing for electronic health records (EHR), there were benefits in terms of accuracy and speed of information sharing, but the downside is some organizations were not prepared for the security implications. And these companies lack monitoring capabilities – they simply don’t know when a breach occurs and who carried it out. For CIOs, CSOs and compliance officers, their total user bases are poorly understood, so they can’t manage the “acceptable use” of their PHI.