Physician-staffing firm, EmCare, became the latest of several victims within the healthcare industry of an email phishing scam, as an unidentified hacker recently gained access to the accounts of multiple EmCare employees. The fallout was devastating: 60,000 people–more than half of which were patients–saw their personal information, such as names, birthdates, private clinical data and even Social Security numbers become compromised.
Company officials at EmCare have declined to provide specifics on when they first became aware of the email breach but offered that their focus going forward will be centered on “… providing impacted individuals information about the incident and guidance on how they can protect themselves.”
An alarming trend
The recent EmCare email breach is not an isolated incident within the healthcare industry. In fact, healthcare has become the most vulnerable industry for such incidents as the number of email data breaches in the last two years has witnessed a bigger increase in healthcare than in any other industry.
A recent article published on ModernHealthcare.com shows that the number of reported healthcare email breaches doubled between 2016 and 2017. While the number of incidents plateaued in 2018, the number of individual healthcare records that were exposed doubled from last year.
So why have healthcare providers become such a popular target among phishing hackers? While the financial industry is obviously “where the money’s at,” financial institutions have made it very easy for their customers to cancel and replace a stolen credit card. But you can’t just cancel and replace your social security number or other private information, and nowhere is such data more readily available to hackers than in healthcare records.
The problem
When you purchase a car, no one asks you if you’re going to get car insurance. It’s assumed that you will because it’s of vital importance. Yet for some reason, the same logic doesn’t apply to email security. Even for healthcare providers whose databases contain private information that if compromised, could place their patients in dire circumstances.
With new technology comes to new terminologies, like cybersecurity. Unfortunately, this new technology also spawns the creation of new methods to bypass security measures. And while data breach may not be a new term or even a new problem, in 2019, it’s become a massive issue, particularly in the healthcare industry.
In 2015 alone, there were more than 750 cyber data breaches, with the top seven cumulatively involving 193 million personal records that were available for hackers to use for fraudulent activities and identity theft. The top three data breaches that year were all in the healthcare industry.
Healthcare records are full of highly sensitive information, from social security numbers and other personal data to medical histories and health insurance information — everything a hacker needs to steal someone’s identity. But besides the wealth of juicy details these records include, it’s the vulnerability that exists in the industry that attracts trouble.
Besides being a repository of vital information that hackers need, the healthcare industry has been particularly vulnerable because of the weak link philosophy. You’ve probably heard that a chain is only as strong as its weakest link. This is also true when it comes to cybersecurity. And it’s something hackers prey on.
According to a 2016 Healthcare Industry Cybersecurity Report, the healthcare industry had the fifth highest amount of ransomware counts of all industries. The report also stated that more than 77 percent of the entire industry was infected with malware. According to the report, the most prevalent weaknesses existed in “health treatment centers, insurance providers, manufacturers and hospitals.” In other words, everywhere.
The authors of the report mention how the industry is facing pressure from both sides ? from hackers who specifically target them and employ different methods in doing so, and from regulatory agencies who are trying to prevent this from happening.
The problem doesn’t rest with the IT departments in most cases, but rather with the employees who aren’t prioritizing, or even aware of, security issues and with those who have been tasked with training and managing them.
“The low social engineering scores,” the report states, “among a multitude of healthcare organizations show that security awareness and employee training are likely not sufficient and this poses a real risk to those organizations.” Hackers know that these employees represent low-hanging fruit. This is why they’ve become such a target.
The main risks, according to the report, are the wireless devices so prevalent in the industry and the amount of information that’s exchanged through them. While these devices are beneficial for their speed and access to information, the way in which they’ve been mishandled and implemented is resulting in added security risks.
How these breaches affect consumers
A survey by Accenture in February of 2017 revealed that healthcare security breaches affect 26 percent of U.S. consumers. And 50 percent of those had their identity stolen, resulting in an average out-of-pocket cost of $2,500 per person. That means for every eight people, one person has had their identity stolen as a result of a healthcare data breach. But perhaps the greater aspect of this problem is reach, as in nearly everyone has health records in the system.
In the largest healthcare data breach to date, Anthem Blue Cross, in January of 2015, had 78.8 million patient records stolen. This included information such as dates of birth, addresses, and social security numbers ? the information hackers most need to steal someone’s identity.
In the case of the Anthem Blue Cross breach, consumers weren’t told about the breach by law enforcement or Anthem themselves. They found out the hard way: by noticing something was wrong on their bank and credit card statements.
How healthcare companies can improve security
The need to take extra precautions when dealing with sensitive healthcare data is obvious. But if the problem was easy to solve, it wouldn’t be a problem to begin with. And unfortunately, for every zig in security measures, there are a hundred hackers ready to zag.
Assess the larger risk as it pertains to the entire system, rather than relying on specific vulnerability analyses.
Always know where your sensitive data is being stored.
Improve training across the board. Impart the risks and precautions to employees, and make certain all understand policies and procedures before handling any consumer data.
Address the issue of third-party vendors. Make sure they’re handling your sensitive data properly.
Reinforce the infrastructure, including all software, with extra cybersecurity measures.
While the theft of information that leads to someone’s identity being stolen is the main risk, it isn’t the only risk. When sensitive medical conditions are made public, it can affect a person’s ability to get or keep a job and their professional and personal relationships.
The impact on businesses and organizations is also dire when leaks occur, as their trust, credibility, and reputation suffer dramatically. They also open themselves up to the possibility of massive fines and lengthy investigations.
The FDA recently issued new guidelines for securing data in medical devices, such as smartphone apps. This is especially important, as the HIPPA (Health Insurance Portability and Accountability Act) Journal has stated that 91 percent of cyberattacks are the result of personalized phishing emails sent to employees.
Results of the 2013 HIMSS Security Survey show that, despite progress toward hardened security and use of analytics, more work must be done to mitigate insider threat, such as the inappropriate access of data by employees. Although federal initiatives such as OCR audits, meaningful use and the HIPAA Omnibus Rule continue to encourage healthcare organizations to increase the budgets and resources dedicated to securing patient health data, in the previous 12 months, 19 percent of respondents reported a security breach and 12 percent of organizations have had at least one known case of medical identity theft reported by a patient.
The 2013 HIMSS Security Survey, supported by the Medical Group Management Association and underwritten by Experian Data Breach Resolution, profiles the data security experiences of 283 information technology (IT) and security professionals employed by U.S. hospitals and physician practices. The data from respondents suggests that the greatest perceived “threat motivator” is that of healthcare workers potentially snooping into the electronic health information of friends, neighbors, spouses or co-workers (i.e., inappropriate data access).
Recognizing inappropriate data access by insiders as an area for which organizations are at risk of a security breach, there has been increased use of several key technologies related to employee access to patient data, including user access control and audit logs of each access to patient health records. On a related note, although more than half of the survey’s respondents (51 percent) have increased their security budgets in the past year, 49 percent of these organizations are still spending 3 percent or less of their overall IT budget on security initiatives that will secure patient data. Continue Reading