One of the few things that we all have in common is that we need to take some degree of care when it comes to our health. Healthcare providers—like doctors, dentists, nurses, and more—are there for us to take advantage of their extremely vital services in order to keep up with all aspects of our health. In order to properly know our healthcare needs, these providers need to have some pretty sensitive information about every one of us. But what if that very sensitive information was stolen by cybercriminals with plans to distribute it across the dark web? That’s exactly what could happen when healthcare providers fall victim to a data breach.
In 2015, the healthcare industry saw more data breaches than any other industry—you can see some of the biggest breaches in Figure 1 above—and data breaches have cost the healthcare industry upwards of $6.2 billion over the last two years. Hackers and cybercriminals target healthcare providers because of the valuable information they have on their patients, often referred to as protected health information (PHI), personally identifiable information (PII), or HIPAA data. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with the goal of protecting this PHI data and is a regulatory standard across the healthcare industry to this date.
Data protected by HIPAA includes health status, provision of health care, or payment for health care that can be linked to a specific individual. This data is valuable to healthcare providers because it is individually identifiable health information related to the patient’s past, present, and future medical conditions—this means it helps the doctor or dentist to make informed decisions about what their patient’s needs are and what means of medical attention are necessary to address these requirements. This is the good side of HIPAA data. However, hackers want this information just as much as healthcare providers, but for a few different reasons.
HIPAA data is attractive to hackers and other cybercriminals because it is one of the biggest gateways into stealing a person’s identity. Even more than credit card information, medical data is the easiest way to steal a person’s identity because of the sheer amount of information that is readily available. Medical records include sensitive information like patients’ full names, social security numbers, credit card numbers, signatures, and more—everything a malicious person would need to steal a person’s identity, or in the case of a data breach, multiple people’s identities. Unlike credit card-induced identity theft, ID theft via stolen medical records does not show up as quickly as credit card fraud. In addition to this fact, healthcare information sells online for ten times that of credit card data.
In addition to stealing identities, hackers can utilize HIPAA data that is stolen in health insurance and Medicare fraud. Dark web users who buy full medical files could use patient numbers with false provider numbers to file fraudulent claims with payers. When they do this, the victim does not know about the fraud because bills are being sent to his medical provider without his knowledge and the insurance provider does not know that he is not the one filing.
With all of this information needed by healthcare providers, it is their duty to their patients to protect this data. Here are a few ways healthcare providers can protect their PHI from data breaches and attack:
- Educate staff members—Education is key in all aspects of life, but protecting data is one of the biggest areas where education is required. When staff members know what is and is not HIPAA data, they can take the necessary amount of care in keeping that data safe. Phishing is one of the main ways hackers get into hospitals’ networks, so informing employees of things to look for that could potentially be malicious is vital when it comes to securing your information.
- Consider Encryption—Be sure to encrypt both your hard drive and any electronic communication that you can. When hackers have to work harder to get your data, they are likely to skip you and move onto the next, more vulnerable victim.
- Protect your network—Having multiple stages of protection is key to keeping your PHI and HIPAA data secure. This includes wired networks, wireless networks, and connected medical devices via IoT. One of the best ways to do this is by installing a next-generation firewall. Axiom Cyber Solutions offers its SecureAmerica® Firewall as well as HIPAA compliance help as a partner to those healthcare providers that need to be HIPAA Compliant.
It is important to secure your networks in any industry, but it is even more crucial in those industries where real customers and clients could be compromised in the event of a breach of security. Healthcare has faced many hurdles in cybersecurity recently, but hopefully by creating multiple barriers for hackers to overcome, the industry will see a turn for a safer, more secure environment.
Hailey Carlson | Axiom Cyber Solutions | 8/15/2016