Why the Healthcare Industry Is an Easy Score for Hackers
Worldwide, healthcare represents an industry that is worth several trillion dollars—and it is anything but secure. Several billions of dollars are lost each year to healthcare fraud, much of which involves compromised medical records.
In September 2015, Healthcare Informatics reported that in the first half of that year alone, the healthcare industry suffered 187 breaches, 21 percent of the 888 breaches reported worldwide. Those healthcare breaches resulted in 84.4 million compromised records or 34 percent of the worldwide total.
As reported in May 2016 by eSecurity Planet, the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data found that 89 percent of healthcare organizations were breached in the past two years. That same study found that 45 percent of those organizations had been breached five or more times in the same two-year period, the report added.
Healthcare as a target
Clearly, the worldwide healthcare industry is being increasingly targeted by the worldwide hacking industry. There are two main reasons for this: financial gain and opportunity.
Hackers have searched out other opportunities. The black-market value of a credit card number has fallen to about $1 per record, as financial organizations have become better at securing their databases, thwarting threats, and remediating successful breaches.
Meanwhile, the value of personally identifiable information (PII) such as Social Security or National Insurance numbers, are now worth 10 to 20 times that much, according to published reports. However, some hackers apparently offer “volume discounts.”
A June 2016 eSecurity Planet report said that a hacker was offering to sell 700,000 stolen records, including Social Security numbers and other PII for $655,000. This may have been a “loss leader,” however.
When personal health information (PHI) is added to the equation the value is even higher. Hackers or their sponsors can pose as doctors and use that PHI to file very profitable fraudulent insurance claims or order and resell controlled substances and medical equipment. Even without specific medical information, criminals can use PII to apply for loans. When combined with other information and counterfeit documents, PHI records can sell for as high as $500 each, according to a December 2014 Forrester Research report.
When one type of target becomes hardened, hackers tend to refocus their efforts on less secure types.
For example, after financial and retail organizations became better at securing centralized databases, hackers found ways to breach less-secure retail point-of-sale (POS) systems. Healthcare systems are ripe for this “soft target” approach and have been for some time now.
According to a warning issued in April 2014 by the FBI and obtained by Reuters, “The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors. Therefore, the possibility of increased cyber intrusions is likely.” Current reality proves the prescience of that warning, and provides several reasons for its accuracy:
From a cybersecurity perspective, healthcare IT environments are chaotic. PCs are shared by multiple doctors and nurses. Aging medical equipment relies on software that rarely -- or never -- gets updated, and on outdated, unpatched, and sometimes even unsupported operating systems. In many cases the software provider may no longer even exist, making security updates difficult or impossible.
Doctors and other healthcare providers increasingly insist on using smartphones and tablets to exchange email with colleagues and patients and to view medical images and information at the bedside, at home, and on the road. The number and variety of mobile devices, operating systems, and system versions needing support create an unwieldy management and security quandary for healthcare providers and their IT and security teams.
This growing demand for mobile access to healthcare-related data has led to an escalation of data theft from lost or stolen devices. Some industry watchers estimate that lost and stolen devices account for as many as half of all healthcare cybersecurity breaches.
Solutions for managing and securing mobile devices and information can be unwieldy and generate resistance. Many solutions force users to switch back and forth awkwardly between managed corporate and unmanaged personal applications on the same device.
Other solutions require users to accept having their device usage monitored and managed when they are at home and at work. Many users consider such scrutiny an invasion of their privacy. Unfortunately, such disruptions and perceived intrusions cause some users to find ways to “work around” tools and measures intended to keep those users and the information they access secure.
Thus, many healthcare organizations allow medical staff and employees to connect their mobile devices to corporate networks, with little to no confidence in the security of those devices or their connections to critical corporate or private patient information.