2015 has been inundated with cyber-attacks against the healthcare industry. In recent headlines, Excellus Blue Cross Blue Shield stated that approximately 10 million of its customers had their healthcare records compromised.
Not only did critical information such as names, Social Security numbers, addresses, and birthdays get leaked but financial data such as credit card information was also compromised. Additionally, this puts their customers at risk for fraud and identity theft.
Criminal cyber-attacks are rising amongst the healthcare community and despite strict HIPPA guidelines and regulations, many hospitals and healthcare providers are grappling with keeping their patients’ data safe.
Cyber-attacks and data breaches cost the U.S. healthcare system approximately $6 billion annually, according to security research firm, The Ponemon Institute.
KPMG polled over 200 healthcare providers and found that four out of five providers had been hacked.
44% of healthcare organizations have been attacked 1-50 times while 38% have been attacked between 50-350 times in the last year. 13% were attacked more than 350 times.
It doesn’t take a stretch of the imagination to realize just how many additional attacks are left undetected and unreported such as the case with Excellus, wherein hackers first accessed patient records in December of 2013 but weren’t discovered until August of 2015. This gave the attackers nearly two years of running data collection. In the same study, KPMG also found that only 53% of healthcare providers are ready to defend against a cyber-attack.
They listed five issues that healthcare organizations are facing.
1. The adoption of digital patient records and the automation of clinical systems.
2. The use of antiquated electronic medical records (EMRs) and clinical applications that are not designed to securely operate in today’s networked environment — and software vendors who push that problem to the provider.
3. The ease of distributing electronic personal health information both internally (via laptops, mobile devices, thumb drives) and externally (third party firms and cloud services).
4. The heterogeneous nature of networked systems and applications (i.e. network-enabled respirator pumps on the same network as registration systems that can browse the Internet).
5. The evolving threat landscape, where cyberattacks today are more sophisticated and well-funded, given the increased value of the compromised data on the black market.
“Patient records are far more valuable than credit card information for people who plan to commit fraud, since the personal information cannot be easily changed. A key goal for executives is to advance their institution’s protection to create hurdles for hackers”, according to Michael Ebert of KPMG’s Healthcare & Life Sciences Cyber Practice.
These data breaches and security vulnerabilities cannot and should not be underestimated and there severity and frequency is a cause for concern. Healthcare providers must make cyber security a priority. No longer is this an issue that companies can ignore.
Protecting patient data is critical and the healthcare industry must start preparing and implementing a strategy to prevent these hacks before the U.S. Government begins to levy heavy penalties and fines on those who do not step-up to today’s threats.