The health care industry has remained the top data breach target for eleven years in a row. Highly sensitive and personally identifiable information (PII) held by health care systems is an attractive target. After all, it contains all the information used for identity theft. In addition, that data may be stored on less secure networks than systems in other highly regulated industries. Data protection becomes more complex in a health care environment where a large number of computers, devices and medical equipment must be secured. In addition, attackers can take advantage of health care data created throughout the course of patient care. Health care data breaches are even more insidious because they have the potential to cause great harm to victims.
What Is a Health Care Data Breach?
A health care data breach is an event where names, medical records, financial records or payment methods are at risk through access to electronic or paper files. Data may be stolen, damaged (corruption) or deleted due to either an internal threat actor’s negligent or intentional actions or through a cyber attack. Health care data breaches commonly begin from compromised login credentials or through phishing attacks.
Well-Known Health Care Data Breaches
Cyber criminals targeted a large insurance company in 2015, gaining access to Anthem Inc. computer systems and stealing the PII of more than 78 million people. Stolen data included names, home addresses, dates of birth, Social Security numbers, health care system ID numbers, email addresses, employment information and income. The insurer failed to encrypt highly sensitive information, which made it easier to steal once cyber criminals entered the systems. They used compromised credentials from at least five high-ranking IT staff members. The attack is said to have started from a persistent phishing campaign. The attackers had uploaded at least a portion of the stolen data to an external data-sharing site. No health care data (e.g. medical records, images, etc.) or banking information was known to be compromised.
Also in 2015, another insurance company fell victim to a data breach that exposed 11 million customers’ medical and financial information. Premera Blue Cross reported attackers likely gained access to insurance claims data, dates of birth, Social Security numbers, email addresses, telephone numbers and bank account information. Millions of records were exposed, but research did not reveal what the insurer calls ‘inappropriate use’. Attackers hit a large number of other hospitals and clinics around the same time period in 2015.
Attackers struck UK hospitals with WannaCry ransomware in a 2017 cyberattack that spanned the globe. The attack halted patient care when it brought down digital patient records, telephone lines, email systems, computers and medical equipment. NHS staff responded by switching to pen and paper and personal mobile devices. Reportedly, NHS systems were still using outdated computer operating systems like Windows XP or Windows 8. Microsoft issued a rare, critical patch to help protect outdated systems from WannaCry style ransomware, but the NHS had not yet installed the patch on affected computers.
In 2020, several US hospitals suffered a Ryuk ransomware attack that shut down phone and patient care systems at all 400 of its hospitals and clinics. UHS hospitals had to postpone surgeries and reroute emergency patients to other hospitals while online systems were locked down. Hospitals in the UHS system could no longer access online patient records and had to pivot to pen and paper. The criminal group demanded a ransom and threatened to leak the contents of stolen records. Universal Health Service did not pay. They finally restored IT systems after a month offline. This proved to be one of the largest hospital cyber attacks in the health care industry.
How Much Does a Health Care Data Breach Cost?
Health care data breach costs are consistently the highest of any industry. In 2021, the Cost of a Data Breach report found the cost of a health care data breach reached $9.23 million (a 29% increase over 2020).
Digital health care records pose a privacy risk when networks and software systems lack the right security. Electronic health records promise interoperability between providers, portable records, a higher degree of accuracy and improved transparency in an effort to deliver better patient care. However, digital health care records are at risk of theft due to their high value. Application security is an essential aspect of holding them safely.
Technology advances at a faster pace than health care systems can respond. Funding and medical equipment replacement is still a challenge, especially for smaller providers (e.g. rural hospital systems). For example, digital imaging equipment tends to be in use for at least 10 years. Many facilities use models that do not meet modern PII security needs meant to protect the software and patient care data flowing through them.
Meanwhile, health care providers are falling prey to more high-tech cyber attacks. Hospital cyber attacks can have serious effects on patient care, especially when entire systems are inaccessible. The convenience of digital health care software quickly diminishes when it’s no longer available. Health care workers need to assess risk in a different way. Ongoing and engaging cybersecurity awareness training tailored for health care can help organizations better understand and address some of the unique risks associated with the industry.
Risks and Challenges of Data Security in the Health Care Industry
The increased complexity of IT and cloud-based systems creates big challenges for any data protection program. Meeting PII compliance and security needs across multiple systems can be a challenge for a hospital system. Missed compliance objectives can mean higher risks and costs. Database security for immense patient databases is key to help prevent risk where possible.
Health care data breaches will continue to increase so long as they continue to turn a profit for attackers. The health care industry must strike a delicate balance between high-quality patient care and robust cyber defenses. Meeting both objectives requires dedicated attention to both, which can seem like a luxury — especially for smaller health care providers. If history is any sign, the cost of a health care data breach will increase year over year going forward.