Every day, a hospital pops up in the news for another data breach. The routine is familiar – individuals receive notification of the breach and assurances that the health system is doing everything to mitigate the damage.
Health data breaches reported to HHS’ Office for Civil Rights have soared in 2023, on pace to double last year’s total, according to a POLITICO analysis of the latest agency data.
“Nearly 89 million people in the U.S. have had their sensitive health information breached so far this year, up from 43.5 million during the same period last year,” POLITICO reports as of this writing. “That includes a breach HCA Healthcare reported in late July that impacted 11 million people, one of the largest data security incidents ever, as well as a ransomware attack on dental plan Managed Care of North America that impacted about 9 million people.”
As recently as November 2023, another major breach was announced. USA Today reported that hospitals run by Ardent Health Services in at least four states diverted patients from their emergency rooms after a ransomware attack hit the healthcare company.
The company said in a news release that “patient care continues to be delivered safely and effectively” in its hospitals, emergency rooms, and clinics. Still, it moved some emergency room patients to other hospitals and rescheduled some non-urgent, elective procedures “in an abundance of caution” until systems are back online.
Ponemon Institute and Verizon Data Breach Investigations Report data show that healthcare experiences more data breaches than any other sector. Why? Because of the strict reporting requirements of the Health Insurance Portability and Accountability Act (HIPPA).
Causes of Healthcare Sector Breaches
Breaches are caused by many incidents, including credential-stealing malware, insider error (purposefully or accidentally), or misplaced devices.
Personal health information (PHI) is more valuable to criminals than credit card credentials or regular Personally Identifiable Information (PII), meaning a higher incentive to target medical databases. They can sell the PHI and use it for their gain. So far, more than 15 million health records have been compromised in breaches, according to the Health and Human Services breach report.
Why is PHI More Valuable than PII?
A non-healthcare-related agency’s average data breach cost per stolen record is $158. In healthcare, that skyrockets to more than $350. According to the Infosec Institute, credit card information and PII sell for between $1 and $2 on the dark web, but PHI can sell for more than $360. Why? One’s health history can’t be changed. Unlike credit card information or Social Security numbers
that people can cancel or change, one’s health status is irreversible.
PHI can create fake insurance claims and even allow for the purchase and resale of medical equipment. Some use PHI to gain access to prescriptions for their use or resale illegally.
Taking Steps to Prevent Security Issues
Proper application security and network security are essential to prevent a compromise from happening. Encryption protects patient data from being accessed once someone has accessed health systems.
It is essential that encryption is implemented and that business partners and vendors that have access to healthcare networks or databases are also properly handling this data.
Also, employee training on proper usage and handling of PHI is recommended to reduce data breaches, such as a lost device or accidental disclosure.
Protect the Most Common Attack Vector
Email is far and away the most common attack vector. Although you may use a patient portal or similar technology, most healthcare organizations communicate via email. Considering this fact, consider investing in high-quality email protection to ensure that attackers can’t phish or target your users with malicious attachments or links.
Email Encryption
For organizations that communicate directly with patients via email, you want to be sure that you are reaching your patients and that no one else could be snooping on those communications. Primary email is not well protected against man-in-the-middle snooping attacks, and emails that might contain sensitive patient information are a ripe target. Email encryption provides end-to-end encryption of all communications with your patient, ensuring that only they can receive the message.
RBI
Remote browser isolation capability can allow IT admins to safely investigate potentially malicious links that might be tempting for staff to click on. This feature will enable you to open suspicious links in a remote cloud browser isolated from your desktop and browser but still see what a real user would see.
Archiving
Healthcare is an environment where everyone has to be very careful about communication. In an arena where a patient’s misinterpretation of advice could lead to a lawsuit, it’s critical that you establish exactly what was communicated and when. Email archiving can help with features like comprehensive archiving, rapid searches, and flexible retention policies, and you will be able to show all the evidence you need. There’s more that can be done.
The continual yet ever-alarming rise in healthcare data breaches underscores the industry’s urgent need for robust cybersecurity measures. The staggering number of individuals affected by these breaches, coupled with the increasing sophistication of cyber threats, necessitates a comprehensive approach to safeguarding sensitive health information.
The healthcare sector’s vulnerability to data breaches is multifaceted, ranging from credential-stealing malware to insider threats and the growing menace of ransomware attacks. The value cybercriminals place on PHI exacerbates the prevalence of such incidents compared to other forms of personal data. The immutable nature of medical histories makes PHI particularly attractive for various illicit activities, further emphasizing the need for heightened security measures.
The solution is to address the root causes of healthcare breaches, which requires a concerted effort to implement and enforce stringent security protocols. Encryption, both at rest and in transit, emerges as a critical safeguard to prevent unauthorized access to patient data. We are implementing proper application security, network security, and comprehensive training programs to minimize the risk of breaches resulting from employee errors.
Recognizing that email remains the most common attack vector, investing in high-quality email protection becomes imperative for healthcare organizations. Robust email encryption ensures the confidentiality of patient communications, mitigating the risk of interception by malicious actors. Additionally, RBI capabilities offer a proactive defense against potentially harmful links, allowing IT administrators to investigate without compromising the organization’s network.
Furthermore, the healthcare industry should consider implementing archiving solutions to maintain a detailed record of communications. In an environment where clarity and accuracy in communication are paramount, archiving features such as comprehensive archiving, rapid searches, and flexible retention policies become invaluable tools.
As the healthcare sector grapples with the escalating threat landscape, a proactive and multifaceted approach to cybersecurity is advisable and imperative. Healthcare organizations hope to protect the integrity and confidentiality of patient data in an increasingly digitized and interconnected landscape only through a combination of technological defenses, ongoing training, and a commitment to compliance.
Oliver Paterson
Oliver Paterson is Director Product Management for VIPRE Security Group.
