The healthcare industry has long been notorious for it’s lack of cybersecurity protocols. It’s a soft target industry because of the ease in which hackers can get in and obtain information. Hospitals and medical facilities tend to have a large number of employees, from cooks and janitors up to researchers and surgeons. Even smaller practices with only a few physicians on staff have schedulers, nurses, cleaning and maintenance staff. The surface area is large, but cybersecurity is often overlooked by the healthcare industry. This practice has to change, and it has to change now.
According to Health ITScience, “The healthcare sector saw a whopping 41.4 million patient records breached in 2019, fueled by a 49 percent increase in hacking, according to the Protenus Breach Barometer. And despite the COVID-19 crisis, the pace of healthcare data breaches in 2020 continue to highlight some of the sector’s biggest vulnerabilities.”
The article goes on to list the top 10 breaches of 2020, which means it’s not an all inclusive list of healthcare breaches. In the first half of 2020, the top 10 breaches alone caused the exposure of over 2.9 million patient records. These breaches were caused by stolen laptops, improper records destruction, ransomware implanted by socially engineered phishing schemes and more. What is truly important to note is that 41.4 million records weren’t stolen from a handful of sources, they are an accumulation of an astounding number of indiscriminate attacks.
Varonis, a 15-year old cybersecurity company, put together a list of statistics around breaches. Three that should get any businesses attention are:
- Hackers attack every 39 seconds, on average 2,244 times a day. (University of Maryland)
- The average time to identify a breach in 2019 was 206 days. (IBM)
- The average lifecycle of a breach was 314 days (from the breach to containment). (IBM)
Those staggering statistics, on top of the sheer number of patient accounts exposed in the first half of 2020 alone, should be a massive wake-up call to the healthcare industry. It’s not just about securing their internal systems at their facilities, it’s about IAM controls for vendors and employees, it’s about remote access protocols and insider threats. Information, data, is today’s hot commodity. Hackers seek information to exploit businesses and people across the globe. The more information and data they can collect, the more they stand to gain.
HIPAA regulations require healthcare facilities to protect patient information. The information isn’t just limited to medical records, either, it also includes identifying information like social security numbers, driver’s license numbers, birthdays, phone numbers, addresses and anything else that someone could use to potentially steal an identity. When breaches happen, it costs facilities exorbitant amounts of money, not just to fix whatever weakness was exploited, but in fines, fees and legal action taken by affected patients.
The other aspect of security at healthcare facilities involves employees. Vendors, like legal and accounting firms, which are not in-house have the potential to cause a problem, too. Both the legal and accounting industries are soft targets as well, only in this instance, it’s employee information that becomes exposed. On top of that, many healthcare facilities and institutions have in-house research teams and programs in place which have proprietary information.
The healthcare industry employs a wide variety of people and uses third-party vendors for various services throughout their buildings which makes it even softer as a soft target. That fact that it’s a soft target is extremely concerning for people all over the world because everyone sees a doctor at some point in their life. Yes, cybersecurity comes at a cost and most healthcare facilities operate on a limited budget and some are non-profit organizations. However, cybersecurity needs to be implemented on a large scale, so these facilities and organizations have to find a way to fit it into their budgets. It may not be easy, but this up-front cost will end up saving them millions in fees and lawsuits in the long run.