2015 was a rough year for healthcare cybersecurity. The 113 million patient records breached was more than twice as many as in the five prior years combined. To make things even more discomforting, nine of the top ten incidents and more than 98-percent of the records stolen were the result of hacking attacks.
Healthcare IT is under attack, and it’s personal. Unlike credit card information, the deep demographic data and sensitive information can’t be cancelled or deleted. The HITECH Act of 2009 required that all large breaches (500 or more records) of protected health information (PHI) must be reporting in a timely basis to the Office of Civil Rights in the Department of Health and Human Services. When HITECH went into effect, the primary concern was data loss through things like lost laptops or external drives containing unsecured patient information.
Today, thieves aren’t looking for a laptop to resell, they are targeting health information and/or other personal data to perpetrate medical ID theft and fraud. A year ago Anthem warned consumers that a sophisticated attack was successful in gaining access to some 78 million records. This was the largest PHI breach in healthcare history and was followed by two more breaches (Premera Blue Cross with 11 million and Excellus Health Plan with 10 million) that in one year saw the top three breaches ever.
Beating Healthcare Cybersecurity in 2015
Common tactics among the attacks include phishing for credentials for IT employees as well as bogus websites established well in advance like the “we11point.com” address used in the Anthem breach that was based on the previous name of the company, Wellpoint. The biggest challenge of these attacks is that they exploit human vulnerabilities rather than technical, meaning the best defense is training personnel to recognize and be looking for suspicious activities.
The frequency of attacks and the magnitude of the breaches led to pages of healthcare cybersecurity measures included in the Cybersecurity Act of 2015. While responding to the data breaches at the federal level, most experts agree that it’s the financial impact of breaches as consumers take their business elsewhere that will drive to most significant response from industry.
Lurking not too far in the shadows is the potentially more dangerous risk of hacking medical devices. Hundreds of thousands of connected patient monitors, infusion pumps, ventilators — critical to sustaining or supporting life and finding their way onto networks, often without proper security safeguards. Imagine all of your worst Internet of Things problems, but inside or attached to your body. But that’s a story for another day…
Uplogix Resources for Healthcare
Deployed in a number healthcare organizations, from clinics and research hospitals to America’s largest integrated healthcare system, the Veterans Health Administration, Uplogix provides remote access, network automation and secure administration of healthcare network infrastructure.
Case Study: Oklahoma University Health Science Center