Healthcare data hacks up 125%, cost $6 billion a year
It used to be once that misplaced laptops were the biggest cybersecurity threat to the healthcare industry, but things have changed. Criminal attacks have surpassed accidental data breaches for the first time ever, skyrocketing 125% in the last five years. According to the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, 45% of healthcare providers reported that cause of their data breach was a criminal attack, while 12% attributed it to an inside job. Moreover, medical identity theft increased almost twice in five years, from 1.4 million victims to over 2.3 million last year. Additionally, Department of Health and Human Services database indicates that two times as many health records were stolen or hacked into last year as in 2010 – affecting 88.4 million people. This info may be used to take out a loan, open up a line of credit, or commit medical identity theft.
“The healthcare industry is being hunted and hacked by the elite financial criminal syndicates that had been targeting large financial institutions until they realized health-care databases are more valuable,” chief cybersecurity officer at Trend Micro Inc. Tom Kellermann, who wasn’t involved in the study, said. Cybercriminals have not only switched targets – from retailers and financial firms to hospitals and doctors (understandably if not justifiably so; Social Security numbers, insurance IDs, addresses and medical details fetch prices 20 times higher than credit card numbers) – but are doing it in full force. “We are seeing a shift in the causes of data breaches in the healthcare industry, with a significant increase in criminal attacks,” Institute Chairman Larry Ponemon said. While employee negligence and lost/stolen devices continue to be major causes of data breaches, criminal attacks are now the number-one cause.”
The report found that the financial cost of data leaks per organization averaged $2.1 million – totaling $6 billion a year. Although all healthcare organizations, big and small, are at risk of information breaches, few have either the technology or the trained staff to face threats and protect customers’ info. 91% of healthcare providers had one data breach, 39% had 2-5 data breaches, and 40% had more than five data breaches in the last two years. In spite of this, about two-thirds of respondents do not offer any protection services for users whose data has been illegally accessed. “The organizations are getting better, but it is a slow-moving train,” Ponemon said, adding that several firms are making the move from paper-based to automated systems, rendering them “very vulnerable to criminal attacks” during this transition.
A previous study published in the April edition of the Journal of the American Medical Association found that over 900 data breaches involving at least 500 people occurred between 2010 and 2013. Six of the breaches affected more than 1 million records out of a total of 29 million records. About 82% of the reported breaches were due to criminal attacks. Despite these massive numbers, experts such as chief executive officer of data security firm Agari Data Inc. Patrick Peterson, believe this is just the “tip of the iceberg,” as only approximately half of hacks are discovered. Finding the culprits isn’t easy either, seeing as how they perform hidden and anonymous bitcoin transactions on private forums or the so-called Dark Web.