The Disturbing Trend of Cyber Attacks in the Healthcare Industry

Posted by Geraldine Hunt on Tue, Jan 10th, 2017

Suprisingly many of the worst cyberattacks in the healthcare industry go unreported. The WannaCry ransomware attack in March, which paralyzed health organisations across Britain highlight the vulnerability of hospital network security systems.

According to a recent survey conducted by Bloomberg Law and the American Health Lawyers Association of 300 attorneys in attendance at the annual meeting of the Association of Corporate Counsel, that actually happened.  The survey found that 97% of corporate health care attorneys believe their organizations are at greater risk for cyber attacks than other industries.  That is nearly unanimous!  Some of the other findings from the survey include:

• 70% of those surveyed are working to develop data security expertise to fulfill that need.
• 84 percent say they have been called upon to evaluate whether a security incident implicates reporting obligations.  Most of them have then been asked to develop relevant internal policies and procedures
• 97% said they expect their involvement in cybersecurity concerns to continue to increase over the coming several years
• 40% reported that their organizations' or clients' have plans that are too generic and lack specific guidance and testing
• One-third said their organizations' plans were out of date for dealing with the latest types of cyber threats or organizational changes.

The fact is, it doesn’t take 300 attorneys to tell us that the health care industry is under siege by cyber criminals.  Other reports have shown that 88% of ransomware attacks during the second quarter of 2016 were directed at health care organizations.  The threat is so concerning that Jocelyn Samuels, Director of the HHS Office for Civil Rights, said:

“One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyberattacks on electronic health information systems, such as through ransomware.”

And it isn’t just attorneys that are concerned about the security of their healthcare organizations.  In a survey conducted by KPMG, 80% of healthcare staff said their information technology had been compromised this year.

This hasn’t always been the case.  As recently as three years ago, healthcare organizations were not under siege by cybercrime nearly to the extent they are today.  According to the 2016 Cyber Security Intelligence Index published by the IBM X-Force, five of the eight largest healthcare security breaches that occurred since the beginning of 2010 took place during the first six months of 2015.  In each of these eight attacks, over 1 million records were reported to be compromised.  In fact, a single attack at the end of 2015 resulted in the compromise of 80 million records.  This disturbing trend is further exemplified within IBM’s findings by the following comparison:

The top five industries in 2015 for cyberattacks

• Healthcare
• Manufacturing
• Financial services
• Government
• Transportation

The top five industries in 2014 for cyberattacks

• Financial services
• Information/communication
• Manufacturing
• Retail
• Energy/utilities

So in 2014, Healthcare wasn’t even on the map as a cyber-target, then within one year they have surpassed the financial services industry.  Overall, the number of cybercrime attacks levied on healthcare organizations increased over 125% between 2010 and 2015.  This alarming development could be due to the recognition of cybercriminals that healthcare data is of great value to them.  In fact, according to a Reuters article in 2015, medical record information has a higher value than credit card data.  In another report by the InfoSec Institute, Medicare ID numbers fetched a far higher price on the black market and dark web than did social security numbers in 2015.  Patient electronic health records, EHR, contain data that can be sold for multiple purposes such as medical identity theft or fraudulent prescription drug claims.  A huge detriment of HER is that unlike credit cards, medical data cannot be canceled and reissued. 

This upward trend for healthcare may also be attributed to the fact that the healthcare industry is much more vulnerable to cybercrime than industries such as financial services which has considerable experience in shoring up their security systems.  In the past, hospitals and similar healthcare facilities have usually had minimal IT staffs that lack the knowledge base and experience to combat these mounting threats. Fortunately, this situation is improving.  As an indicator of this, many large organizations are now luring chief information security officers from the financial services and energy sector with large compensation packages.  Just two years ago, this position barely existed within the healthcare industry.

Measures such as these are vastly needed today in the healthcare industry. According to the Ponemon Institute, a leading security research organization, the average cost of a U.S. healthcare organization breach is over $2.2 million. On an industry-wide basis, the cost each year is thought to be as much as $6.2 billion.  At some point, these losses will be unsustainable, leading to possible bankruptcies or worse. The good thing is that industry executives, legal counselors and even the U.S. Congress and other governments have recognized the seriousness of the problem. 

Are you an IT professional working in the healthcare sector, that wants to ensure sensitive data and devices are protected?  Talk to a specialist or  email us at info@titanhq.com with any questions.