Cyber criminals have turned what were once many small tag and bag operations into a multi billion-dollar industry. Through heavily organized and targeted attacks, data breaches have cost the healthcare industry on average $6 billion annually.
As healthcare organizations around the nation are making the transition from paper to digital records they have been opened the gates for poachers to access their sensitive data. Healthcare has lagged far behind other industries, like finance, when it comes to digitizing records and implementing security protocols to protect their data.
What is the value of a healthcare record?
Healthcare records are more valuable than an individual record in any other industry. An individual health record can sell for more than $1000 on the dark net. Health records contain social security numbers, health insurance information and credit card numbers. People can use stolen records to falsify insurance claims, obtain fake prescriptions and fraud. The major challenge in healthcare is the constant flow of data that is required to serve patients with the highest level of service. The exchange of patient records is necessary to process billing/insurance information, provide doctors with medical history, obtain medications and the list goes on. Because your health records may need to be accessed by so many different health organizations, securing their privacy when they are touched by so many hands is feat of its own.
Department of Health and Human Services taking action
HHS has realized the security fallacies and risks in healthcare and is enforcing the policies set in place. Earlier this year Children’s Pediatric Hospital in Dallas paid a $3.2 million fine as a result of two previous data breaches. Memorial Health Systems was also fined earlier this year for having a lack of audit controls in place resulting in breach of 80,000 medical records. The fines for hospitals are increasing year after year and as a result healthcare organizations are heavily increasing their budget associated with security. The problem is they are implementing security solutions that are clunky and deter doctors and patients from using them. The more hospitals are getting breached and fined the more complicated their security systems are becoming (e.g. passwords resetting every week and requiring recipients to login to portals). Some doctors turn to shadow IT avenues such as text and private email to communicate with their patients opening them up to cyber attackers. Although some security systems are becoming so complicated they are a pain to use, un-secure communication is a major red flag. The slow adoption of technology and over engineering of many security applications is leaving doctors and patients frustrated while allowing cyber attackers to capitalize on the systematic weaknesses.