In February 2015, Anthem Inc., the second largest health insurer was hit by one of the largest ever data breaches. Hackers managed to gain access to Anthem’s database, which contained personal information of as many as 80 million customers and employees. The hackers were able to get their hands on information such as birthdays, names, Social Security numbers, email and street addresses, medical identification numbers, employment information and much more.
Electronic health records (EHR) give healthcare professionals the ability to digitally share patient data quickly and effectively. EHRs have improved the efficiency of many healthcare organizations, which has increased the quality of care being administered to patients.
However, as evidenced by the Anthem breach, there is a negative side to using EHRs. Digitally storing patient data makes this information easily accessible, but also increasing the risk of patients’ health information being accessed by the wrong people.
The Poneman Institute’s “Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data” showed that healthcare data breaches remain consistently high when it comes to volume, impact, frequency and cost. Almost 90% of the organizations represented in the study experienced a data breach in the past two years, and 45% experienced more than five data breaches over a two-year period. Based on the study’s results, estimates show that data breaches could be costing the healthcare industry around $6.2 billion.
According to the study, criminal attacks are the leading cause of healthcare data breaches followed by internal problems such as employee mistakes and stolen devices. Making these situations worse is the fact that breaches sometimes aren’t detected by the organization for months at a time.
This is why healthcare data security should be a top priority for medical organizations today and continuing into the future.
Common Security Threats Within the Healthcare Industry
One of the best ways for healthcare organizations to protect themselves against data breaches is to be aware of common threats so that the proper precautions can be taken in an effort to safeguard patient data. Three common threats that healthcare organizations should constantly guard against are:
Theft and Loss: Since 2010, 68% of all healthcare data breaches have resulted from either device theft or loss, according to the Healthcare Breach Report released by Bitglass in 2014. These statistics show the need for healthcare providers to take extra care when it comes to securing patients’ healthcare data that lives on desktops and more importantly, mobile devices like laptops, tablets and smartphones.
Patients, the ones that fall victim to these healthcare data breaches, could potentially face a number of complications as a result, including lost insurance coverage, bad credit, higher premiums and mixed-up records. In most cases these issues are just the beginning.
By ensuring the security of healthcare data on end-users’ devices, healthcare organizations can make sure that, even if a device is lost or stolen, sensitive patient information will not be compromised.
Healthcare organizations are and will continue to be one of the most targeted sectors for cyber criminals mainly because of the high value of stolen data and the implementation of electronic health records, according to Experian’s Data Breach Industry Forecast.
Researchers noted in the report that, “Sophisticated attackers will continue to focus on insurers and large hospital networks where they have the opportunity for the largest payoff,” according to the report.
“With the move to electronic health records (EHRs) continuing to gain momentum and becoming more widely accessible through mobile applications, the attack surface continues to grow,” the report warned.
When it comes to targeted attacks, attackers usually have a specific organization in mind and have spent many hours and countless resources setting up and then carrying out the attack. The main goal of a targeted attack is to gain access to the target’s network so that confidential information can be stolen from the server.
It can take healthcare organizations as long as a year to discover they have suffered from a targeted attack. By then thousands and sometimes millions of patient records and information already have been compromised.
A number of healthcare providers do not think about the security of their mobile devices the way they do their conversations and emails. In most cases, mobile devices are believed to be more secure than they actually are, and as the use of them within healthcare organizations increases, more and more patient data is being put at risk. Because of this, healthcare providers need to make the security of their mobile devices more of a priority in order to better protect confidential patient information.
To help healthcare organizations improve their security practices for mobile devices, the Office of the National Coordinator for Health Information Technology created a five-step process for them to follow.
This five-step process includes:
- Deciding what mobile devices will be granted access to the network
- Assessing the risk that mobile devices bring to the organization
- Coming up with a risk management strategy
- Developing a mobile device management plan
- Training all staff members in mobile device security
As more people become insured and seek medical treatment, and more electronic health records are compiled by healthcare and insurance providers, the industry itself must address how that data is safely and securely stored.