Healthcare data has become the primary target for hackers across the world. Last year, it accounted for nearly 67 percent of stolen records—that's 112,832,082 records in the U.S. alone. This year is not looking any better, as it already accounts for 34 percent of breaches and stolen records, second only to government-related breaches.
Why are healthcare organizations being targeted? For one, money talks. Criminal hackers can demand $20 for health insurance credentials and $50 or more for medical records on the black market. This is huge compared to the one to two dollars they can ask for credit card information. Just imagine you're Homer Simpson and you find a peanut in the sofa. Someone offers you $10 for it. Do you eat it for the immediate satisfaction or do you sell it? The answer is easy.
The reason medical records are valued so highly is because of the longevity and comprehensive nature of the information. When financial data is compromised the most a hacker can do is steal what's in the affected accounts. And credit card information becomes void as soon as the victim or bank notices suspicious activity and cancels it. On the other hand, healthcare records have a plethora of data that can't be changed. Weight, height, medical conditions, prescriptions, Social Security numbers, and even financial information can all be found in someone's medical records. This can all be used for identity or financial fraud, extortion and blackmail. Traditionally confidential, medical history out in the public eye could mean scandal or backlash, especially for those with a high profile.
Further, healthcare is notorious for being behind the times when it comes to adapting to the latest security threats. The addition of new technology, from the use of new applications and the cloud to the implementation of connected "smart" medical devices, has put an even greater strain on their already burdened networks.
Most recently, these factors have led to a surge in extortion via ransomware infections that usually stem from phishing emails with malicious payloads. Users unwittingly download and open attachments with the potential to negatively affect an entire organization's network—especially when they have admin privileges.
To address these issues and their effect on such sensitive data, healthcare organizations must of course bolster security. HIPAA compliance is not enough. They need to be able to guarantee patient data safety with solutions that offer 100 percent assurance. For instance, privileged and admin accounts in healthcare organizations must use security measures that allow for complete certainty of who is on the other end. People without privileged access should at least use multi-factor authentication to prevent identity spoofing. These two things alone could put a huge damper on the ransomware wave. Moreover, proper training is key in preventing slip-ups that could lead to malware infection or a data breach.
Because healthcare protects such a treasure trove of data, with certain people as custodians, it needs to ensure the most rigorous authentication of those people.
For their part, consumers will continue to expect healthcare providers to protect them. But they can bolster security themselves in a few easy steps, like using multi-factor authentication that is not based on SMS and changing passwords every so often. Hackers don't always have to get in through the back end to get to patient data. They can simply walk in through the front door with the right credentials.
Ultimately, healthcare does have a long journey ahead of it as it pivots to meet growing threats. But the right solutions are out there and a little bit of education can make a world of difference. Don't continue to lag or you could find yourself in the next healthcare breach headline.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.