$363. That’s how much a single stolen patient health record is worth on the dark market, according to data from the Ponemon Institute, making it worth more than any other piece of data from any other industry. In fact, your medical information is worth 10 times more than your credit card number.
As healthcare becomes increasingly more digital through EHR adoption and telemedicine applications, the information systems the data runs on are becoming more vulnerable to cyber attacks.
But why is healthcare data so valuable & more appealing to cyber criminals?
- A healthcare record includes much more information than just financial data from other industries: detailed identity data and financial data like credit card information;
- Information of a critical nature, making it much more attractive for ransom;
- Healthcare data carries a much higher value on the dark market;
- Multiple uses of the data, including medical fraud and basic identity theft.
Frequency & Impact of Cybersecurity Threats
Security breaches in healthcare are quickly becoming commonplace. The healthcare industry saw a 72% increase in cyber attacks between 2013 and 2014, according to security provider Symantec. And OCR reports that in 2015 there were 253 different breaches that compromised over 112 million records. While reasons vary, cyber threats accounted for 29% of the 2015 breaches, a number predicted to increase to 38% in 2016.
And if you think healthcare providers in rural areas are not at risk, think again. Cybersecurity threats are not discriminatory to size or rurality of an organization. Contrary to the prevailing “it’ll never happen to us” mindset in many rural communities, they are targets just like their metropolitan counterparts. In fact, with the lack of skilled IT workforce present in rural areas, aging technology that is unmanaged puts rural healthcare providers at heightened risk. In one example, a critical access hospital in rural Illinois was inflicted with ransomware in 2014 where attackers threatened to make all of the hospitals patient data public.
When a breach occurs it impacts a healthcare provider in multiple ways, including:
- Expense of breach notifications and administrative overhead in managing the breach;
- Technical remediation of the source of the breach;
- Reputation damage to the healthcare organization.
How to Protect Your Organization
So we now know that cyber security threats are very real, but how do you protect your patient data in the 21st century?
There are several areas that need to be appropriately managed in order to mitigate the risk of a cyber security event. Compliance with the HIPAA Security Rule is a great start, however compliance does not equal security. Some of the areas that need consistent attention are:
- Inventory of devices accessing your network
- Patch Management solution to ensure known vulnerabilities are patched
- Up-to-date antivirus and anti-malware solution on every device
- Regular, third-party security risk assessments
- Encrypting patient data on servers and especially mobile devices
- Encrypting the transmission of patient data
There are also some low-tech solutions that can be put into place that will help mitigate your security risks:
- Limiting access to electronic systems through the principles of least privilege;
- Ensuring only IT Administrators have access to alter IT policies and system configuration;
- Keeping patient data out of site to prevent smartphone cameras from snapping quick pictures;
- Implement UCSC’s Password Strength and Security Standards.
Consulting with cyber security experts to assess your threats and continuously monitor your network for new threats is the best protection.
Cyber Security’s Impact on Telemedicine
Telemedicine and telehealth services rely completely on the transfer of data from one location to another, whether it’s through interactive video consultations, store and forward technology or remote patient monitoring. Unfortunately, this data can be stolen or even manipulated during transmissions by cyber criminals looking to harm patient outcomes.
That’s why all players in the health IT sector including the healthcare organizations, internet service providers, EHR vendors and data centers, all need join together and make a commitment to all help protect our health data.
With some preparation, planning and investment in time and resources, all healthcare providers using 21st century technologies such as telemedicine can be on the path to 21st century security and protection, giving control back to the healthcare provider and peace of mind back to patients.