Healthcare Organizations Beware: Hackers Are Coming For Medical Records and PHI

Cyber Attacks Now Directed at the Healthcare Industry


The healthcare industry is moving towards utilizing the latest and greatest technologies to take advantage of global research resources and talent, while also leveraging automated, computerized and networked systems and applications to improve the quality, efficiency and effectiveness of healthcare around the world.

While the results of this modernization is clearly apparent in improved patient care and prolonged life expectancy, the speed with which new technology is being adopted in the healthcare industry, and an apparent lack of focus for cybersecurity, opens up the door for hackers and cyber terrorists to exploit the vulnerabilities of these networks, looking for ways to gain access to hospital systems, patient data and personally identifiable information, to exploit that information for financial gain or worse.

Examining the statistics clearly demonstrates the undeniable focus of cyber hackers targeting healthcare organizations, medical records, protected health information (PHI) and personally identifiable information (PII):

  • In 2015, PwC’s Health Research Institute’s Annual Report stated that an estimated 85% of large health organizations experienced a data breach in 2014, with 18% of breaches costing more than $1 million to remediate.
  • Approximately 29.3 million patient health records have been compromised in a HIPAA data breach since 2009, according to healthcare IT security firm Redspin.
  • In January 2015, Anthem disclosed that over 80 million health records were stolen from their sytems as a result of a sophisticated attack which resulted in a network breach.
  • Earlier in 2016, Bloomberg Business reported that criminal attacks against healthcare providers have more than doubled in the past five years, costing the U.S. healthcare system $6 billion per year.

Why Target Healthcare Systems, Medical and Patient Records?


Why the change in focus with cyber attacks now targeting the healthcare industry? Medical information is worth 10 times more than a credit card number on the black market, according to Reuters.  According to Aberdeen Group, medical records can bring in as high as $500 per patient.

One of the reasons as to why medical data is more valuable in the black market compared to other types of personally identifiable information is because, once the bad guys get their hands on it, it's difficult for the victim to take action to protect themselves.  While it's very easy to cancel a stolen credit card and dispute fraudulent charges, the process of resolving medical ID theft is not clear, as hospitals and insurers do not have a clear process for helping patients cope with the consequences of identity theft.  Healthcare information is essentially non-recoverable and thus very dangerous in the wrong hands.  While financial institutions have heavily focused on securing the infrastructure for their networks and the framework for their online transactions in recent years, many health insurers and hospitals have not yet put in the necessary effort to harden the security of their networks and processed beyond the regulatory compliance rules they need to abide by.

Cyber Terrorism Targeting Medical Equipment


Medical devices such as insulin pumps and digital pacemakers are also increasingly at risk at being hacked and compromised by threat actors. Security researchers already demonstrated how it's possible to access and remotely modify the dosage rates of a connected insulin pump. As our medical devices become increasingly connected and smarter to make autonomous decisions based on available data, the possibility of a threat actor modifying the data to do harm is increased exponentially.

Healthcare: Prepare for Cyber Attacks!

The HIPAA Security Rule requires providers to assess the security of their databases, applications, and systems that contain patient data against a list of 75 specific security controls. These controls include specific safeguards to be in place for protecting PHI.

Specifically, the HIPPA Security Rule requires that the HIPAA regulated entities that are mandated to implement the security rule must:

  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  • Protect against reasonably anticipated, impermissible uses or disclosures; and
  • Ensure compliance by their workforce.

While the internal systems and firewalls need to be reviewed for security holes and backdoors, and all medical devices updated and patched to ensure the highest possible security, healthcare organizations need to put in place additional measures to protect their networks and web applications from vulnerabilities.  A cybersecurity solution that can tailor the protection based on the specific needs of each web application can ensure security vulnerabilities are minimized.  A Cloud-based cybersecurity solution as a managed service will minimize the upfront investment as there is no security hardware to install and maintain, and the monitoring and management of the cybersecurity solution is done by the vendor, which eliminates the need to find and hire security experts.

Speak to ZENEDGE about your cybersecurity needs.  We understand that the protection of medical data from cyber attacks is increasingly becoming a challenge in the business of saving lives, and that threats to patient health and safety are real life matters. We have a cybersecurity solution to address the specific needs of the healthcare industry, while adhering to the strict regulatory guidelines.

Learn more about ZENEDGE solutions for Healthcare

Topics: Cybersecurity cyber terrorism zenedge cyber-attacks PHI healthcare PII HIPAA