Today, online healthcare information is one of the most susceptible, profitable targets for cybercrime. The primary reason: The rapid proliferation of connectivity and medical data has outpaced the implementation of rigorous cybersecurity around healthcare.
Staying informed about cybercrime trends is the first step to safeguarding valuable data. This interactive eBook is designed to help you identify common cybercrime tactics and the magnitude of relative risk for healthcare organizations. Because a comprehensive, effective cybersecurity system often requires significant investment, we also investigate payment strategies and options that allow you to take immediate action.
When Congress introduced the Health Insurance Portability and Accountability Act (HIPAA) in 1996, proponents hailed it as an assurance of stringent security and privacy for patient information. The Department of Health and Human Services (HHS) planned to oversee performance of the hospitals, insurers, and related organizations that served as stewards of millions of personal medical records.
However, as growing amounts of medical information were digitized and placed online, hackers and other malefactors began to breach systems that held the data. In 2010, HHS counted about 200 major data breaches. Over the course of the next several years, HIPAA-related data hacks continued their upward trend, reaching 510 in 2019.1
It’s interesting to note that HIPAA opted to count only those hacks that involved 500 or more patient records. We can only speculate as to how many smaller attacks went unreported.
Few documents in contemporary life are as comprehensive and intimate as medical records and other protected health information (PHI). Each may hold significant details of a person’s medical history, including physician appointments, lab tests, diagnoses, prognoses, medications, supplements and prescriptions.
Other data commonly specifies a patient’s employment history, insurance, credit cards, bank accounts, social security number, demographics, past addresses and names of relatives.
A stolen medical record commands one of the highest black-market price for any illicit data. On the dark web, a single stolen credit card might carry a price tag of 20¢. In contrast, one medical record could sell for upwards of $1000.2 Even the value of a lifted financial record comes in at a distant second place.
In most instances, online theft of medical records may remain undetected for weeks or months. Cybersecurity analysts refer to this period (between a breach’s occurrence and eventual discovery) as “dwell time.” In 2018, median dwell time for hacks was about 80 days, though longer periods are common.3
Some data breaches gain access not only to medical records, but to complete sets of physician credentials, as well. These typically command an even higher price than a medical record, especially because the criminal gains the potential to bill multiple insurance companies for countless services, to write prescriptions and even to pose as a legitimate, practicing doctor.
A hacked device typically means degradation of patient care and theft of patient data. What makes the devices so vulnerable? As of late March 2020, 83 percent of them ran on outdated, unsupported operating systems.4 Failing to safeguard PHI brings substantial fines and corrective action plans from HHS.