Did you know that more than 25 percent of all data breaches that occur in a given year affect hospitals and healthcare facilities? Why is healthcare data a target for hackers?
Research from 2018 suggests that health data is the second most at-risk type of information after social security numbers. In 2019, there have been more than 25 million patient records affected.
It’s also imperative to point out that 53 percent originated within the establishment itself out of all hospital data breaches. What’s even more troublesome is that for most hospitals, more than a month passed from the initial hack attack/breach to its detection.
Why are healthcare facilities vulnerable, and what makes hackers target such institutions? Why are health security challenges becoming more difficult to address every single year?
Why Do Hackers Target Hospitals?
The research quoted in the introduction suggests that over 15 million patient records were breached in 2018. The number of affected records has nearly tripled over the course of a single year – from slightly over 5.5 million records in 2017 to over 15 million records in 2018.
There are several reasons why hackers are so keen on accessing healthcare facilities and patient information.
Patient data can easily be sold off, which is the number one reason why healthcare facilities are subjected to so many hack attacks.
Health records and other patient-related information are hugely demanded on the black market. In some instances, hackers are even capable of selling the information back to the hospital itself. Needless to say, they generate massive profits from such “transactions.”
In essence, hackers can make money from patient data through blackmail or by selling such records to the highest bidder.
Hackers can also utilize the information of high-profile patients. In 2017, for example, hackers breached the network of a major plastic surgery clinic in London. It was a high-profile case that included information from numerous celebrity clients. That information consisted of pictures, medical records, addresses, and even sensitive financial data.
Such information can easily be applied to fraudulent activities, stalking, and harassment.
Finally, hackers target medical facilities because they lag in the introduction of security measures. Bank and financial networks, for example, are heavily protected. This isn’t the case for medical facilities. Many of them don’t have the resources to introduce the latest safety measures and ensure that patient information is properly protected.
Ways in Which Hospital Data Breaches Occur
A hospital’s database can be breached in several distinctive ways.
The first and easiest available option is the so-called social hacking. It involves getting credentials (user names and passwords, for example) from one of the individuals with legitimate access to the network.
It’s straightforward for someone to impersonate an IT company rep who needs to do maintenance, hence is looking for credentials information.
The second and a bit more challenging option involves brute force to access the network in a completely unauthorized way.
Security experiments show that the second data breach method isn’t that difficult to utilize.
The Hacking Hospitals report was issued back in 2016, but it paints a troublesome picture. Cybersecurity specialists were hired to penetrate the network of 12 medical establishments in the US and two medical data centers. They also targeted two active medical devices and two web applications.
The experiment continued over the course of two years, and various attack methodologies were employed. Unfortunately, cybersecurity specialists detected many omissions and serious security issues. In one of the instances, they left branded USB drives at the hospital. All of the devices featured the hospital logo and contained malware.
In another scenario, the security specialists utilized one unattended lobby kiosk to access sensitive information about various patients.
The conclusion reached was that hospitals were severely lacking in data security measures due to the lack of funding, the lack of appropriate staffing, no employee training about the best data security practices, improper organizational structure, the overall lack of a security policy, and the lack of security audit procedures.
Healthcare Data Protection: Best Practices
Data security solutions are becoming more readily available today. Cloud-based technologies are scalable and cost-efficient. They allow for better protection through encryption, access monitoring, and the logging of unusual activity.
A shift in mindset is needed for healthcare facility managers and administrators to see the cost-efficiency of database safety solutions. Until recently, these were perceived as too costly and only attainable within a large medical facility framework.
Educating staff members is even more important. As already illustrated by some examples, many hack attacks and security breaches are the results of negligence or complete unawareness of safety protocols.
Any IT security program within the healthcare framework should have a big focus on staff training. Many people are still unaware of how hack attacks occur, phishing, malware, or ransomware. When such threats become easy to identify, they also become easy to circumvent.
Good hospital data protection practices should also focus on establishing a secure wireless network, the encryption of portable devices, and even the introduction of physical security controls like locking file cabinets (to protect paper-based data) and installing security cameras.
Hospital Security Necessitates a Thorough Approach
Making hospital data more secure isn’t about the introduction of a single measure. A thorough approach will be required to eliminate vulnerabilities from the network itself and reduce human error risk.
Such measures, however, are long overdue.
Hospital records contain highly sensitive personal details. This information is incredibly valuable, and hackers’ appetite for patient files will not get diminished any time soon. As technologies evolve, hack attacks become more advanced. This is why hospitals need to introduce the right data management protocols and technologies.
The importance of information management in the healthcare context cannot be underestimated. While digitization simplifies the management of larger information volumes than ever before, it also contributes to potentially disastrous security risks. The need for healthcare-focused security solutions and staff training courses will only grow in the years to come. While current statistics don’t pay an optimistic picture, technological advancements and higher levels of awareness will hopefully change the situation for the better shortly.