2017 Will Be the Year of the Healthcare Breach (Again)
The new year won’t bring relief for the healthcare industry, which faces a range of new, sophisticated attacks seeking paydays and access to electronic health records, a new survey finds.
2015 was the year of the healthcare breach. So was 2016. And now it looks like 2017 might be the year of the healthcare breach, also!
That, according to a report released by Experian, the credit rating agency and identity protection firm.
The healthcare sector will continue to be “a focal point for hackers,” Experian said on Monday, noting that healthcare organizations will face threats from medical identity thieves as well as criminals running ransomware scams.
The healthcare sector, including insurance firms, hospitals and doctors’ offices, has long been a prime target for cyber criminals and even nation-state actors. The breach of systems operated by Anthem Healthcare in 2015 was attributed to attackers based in China. Attacks on healthcare organizations by sophisticated actors have been ongoing for years. In 2014, an investigation of a hack at the hospital chain Community Health Systems also pointed to hackers operating out of China.
As we’ve noted in this blog: attackers’ focus on healthcare firms makes total sense. The Affordable Care Act created massive new incentives for hospitals and doctor’s offices to migrate from paper record keeping to so-called “electronic medical records” or EMR and to join larger networks of providers, known as “Accountable Care Organizations” or ACOs, that can coordinate patient care. That has tended to consolidate data from scores or even hundreds of providers onto common and (often) web based EMR systems.
A 2014 report from The Ponemon Institute found that 69 percent of organizations surveyed believed the ACA increases the risk to patient privacy and security.
Of course, data theft is only one risk. The Experian report also notes the wave of ransomware attacks on healthcare organizations, like Los Angeles-based Hollywood Presbyterian hospital, which paid an estimated $17,000 ransom to regain access to ransomware encrypted systems earlier this year.
According to IBM’s midyear security report, more than 100 million healthcare records were compromised – the most of any industry.
Experian cites many reasons for this. The distributed nature of healthcare environments, the relatively open access to them and the value of the data they store are all factors. Circumstances tend to favor the attackers, who only need to find one vulnerable system to exploit, whereas hospitals have to protect all systems from attack. And that may get harder, as more mobile health applications are adopted and introduce new vulnerabilities and attack vectors into healthcare organizations.
Looking at the year past, Experian noted that there were 181 reported healthcare breaches ranging in size from 500 to 3.6 million affected individuals. That number included several large breaches with more than 5 million records lost (Experian notes Banner Health and 21st Century Oncology) but many more small breaches. Breaches impacting 200,000 people or less accounted for 96 percent of all healthcare related breaches and impacted 1,400,872 individuals, the company found.Update 12/6/2016: a previous version of this article attributed the report to Experian and the Ponemon Institute in error. The post has been updated to reflect that the report is the work of Experian alone.