Blog & Tools

Hackers zeroing in on data-rich health care industry

Health Care Cybersecurity

I’ve been on heightened awareness for identity theft for the past 18 months. I was among millions of past and present customers of the health insurance giant Anthem Inc. who were notified in the spring of 2015 that cyber attackers had successfully hacked the company’s electronic records.

I was advised that personal information, such as date of birth and Social Security number, might have been exposed. The notification surprised as well as angered me because I didn’t even know that Anthem had my records. But apparently, at some time, I had been covered by an affiliated organization.

Less surprising was the fact that hackers would target a health care organization with lots of consumer information. Data-rich organizations, including hospital systems, are big and growing targets for the electronic thieves around the world.

“Data breaches in health care are increasingly costly and frequent, and continue to put patient data at risk,” according to a 2016 Ponemon Institute study that was sponsored by ID Experts. The full title of the report is the “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data.”

The results, published in May, indicate that many health organizations and their business associates are negligent in handling patient information. A series of high-profile data breaches have the industry on alert.

Other interesting findings in the study include:

  • Criminal attacks are the leading cause of data breaches in health care.
  • Regarding security incidents, employee negligence is a health care organization’s greatest concern.
  • Despite concerns about vulnerability to breaches, organization budgets are staying the same or decreasing.

The finding about stagnant budgets is baffling. But regardless of whether more resources are required, these organizations must find ways to better protect the privacy of consumer data from breaches and preventable mistakes. That’s a legal as well as moral obligation. The federal Health Insurance Portability and Act (HIPPA) includes privacy protections.

The study noted that the average cost of a breach to a health care organization is more than $2.2 million. That amount could provide a lot of security equipment or employee training.

Regional health care organizations such as Avera Health and Sanford Health in Sioux Falls probably are ahead of the national pack in taking precautions against data breaches. But just think about all of the other businesses, organizations and affiliates of all sizes that probably have detailed information about you on file in their computer systems.

In reality, most large health organizations probably have been hacked already. The majority of the organizations represented in the Ponemon study have experienced multiple data breaches.

The study reported that the organizations’ biggest cyber fear is a Distributed Denial of Service (DDoS) attack. DDoS attacks try to overwhelm and disable target networks by sending out waves of malicious electronic traffic.

Organizations’ next biggest fears are ransomware and other forms of malware.

Advances in technology have greatly improved business communications and made data storage easier. Unfortunately, the use of improved technology obviously has outpaced business organizations’ ability or willingness to protect data. Meanwhile, attacks are growing in sophistication and frequency.

It’s time that health care organizations collectively demonstrate greater concern for protecting patient information.

Typically, employees are the weakest link in any company’s security chain. Good, ongoing training can reduce that risk. Significantly, these organizations appear to recognize that with good employee training, most medical-related identification theft is preventable.

Encouragingly, they also recognize the importance of having formal incident-response processes in place to help deal with breaches.

Preventing DDoS and other forms of electronic attacks is an area in which companies such as SDN Communications can assist. SDN, for example, offers several managed services that are geared to increasing clients’ cyber defenses.

SDN services include Managed DDoS Protection, Managed Firewall, Managed Routers and Remote Network Monitoring. For the most part, they are subscription services in which SDN provides and maintains good equipment in exchange for a monthly fee.

SDN encourages businesses to invest the necessary time and resources to improve cybersecurity. We have a free guide for you to get started - Cybersecurity Starts With The Basics - a booklet that walks you through nine steps to secure your business. Request a free copy using the button below.

Request A Book
Cybersecurity Starts With The Basics