Light Dark
October 5, 2018 By Joan Goodchild 3 min read
Healthcare
Data Protection

Criminals know how lucrative healthcare cyberattacks can be. As reported by Forbes, an electronic health record (EHR) could be worth hundreds, even thousands, of dollars on the black market. And unlike a credit card or financial record, a medical record is a living document that can be used by criminals over a person’s lifetime — there’s no closing down a health record. For example, a threat actor could use sensitive information about health conditions and diseases to extort a victim for years.

“From a purely monetary perspective, medical records, depending upon their completeness, can fetch upwards of $1,000 per record,” according to RedLock’s Matt Chiodi. “Contrast that number with credit cards, where the typical value is $30.”

Unfortunately, with its value fully realized, medical information is now more susceptible to theft due to the pervasiveness of electronic records. Over the last decade, healthcare clinics and hospitals have widely adopted EHR systems to save on costs. However, while they’re more efficient than paper systems, digital records are also vulnerable to cyberattacks.

Healthcare Cyberattacks Beyond the Doctor’s Office

Hospitals and medical clinics aren’t the only healthcare entities that need to keep their data secure and private. DNA and genomics-analysis services also store sensitive biodata in the interest of serving their clients. Are the threats that these types of companies face the same as a traditional healthcare provider? What kinds of attacks do they need to guard against? And what are they already doing to shore up defenses and protect customer data?

“The general fear is actually with the customer signing away their DNA profile to a testing company,” said Chris Jordan, CEO of the security firm Fluency. “There has been little concern of the theft for malicious intent, mainly due to the mapping to value of the data. The real threat is that the value is unknown, meaning that two years down the road people might start seeing a value to the data, and your DNA data may be on a system with inadequate protection.”

Is Your Company at Risk of a Different Kind of Infection?

Cybercriminals exploit healthcare organizations for a variety of purposes, including data manipulation through loss, leakage and spoofing. One of the most common threats targeting the sector is ransomware, as evidenced by the massive WannaCry attack that infected hundreds of thousands of endpoints on healthcare networks in more than 150 countries around the world in May 2017.

As Bloomberg reported, attacks of all kinds against healthcare organizations have increased in the last year and show no signs of slowing — particularly when it comes to phishing and ransomware attacks used to gain access to private data.

According to Rami Muleys, head of application security business development at Positive Technologies, the threat of ransomware is evolving to become even more targeted.

“Moving forward, there’s a chance that cybercriminals could change tactics and, instead of destroying sensitive data, use it for targeted attacks,” he explained. “As an example, a patient with a sexually transmitted disease could find themselves blackmailed; a patient with an allergy could be attacked with his or her allergen.”

Critical Condition: How to Keep Healthcare Data Private

What are businesses that collect biodata doing to protect sensitive data and client information?

A spokesperson for personal genomics and biotechnology company 23andMe noted that customer data is stored in “walled-off segregated computing environments” and protected by a “comprehensive security program that utilizes de-identification — which protects an individual’s identity by removing all registration information, name, email address, etc. to protect the unique set of information associated with our service.”

The spokesperson also noted that each customer can choose whether to participate in research or share his or her data, and that the company does not share personal information without explicit consent.

Beyond policies, basic security practices are more important than ever for today’s healthcare workforce.

“Healthcare organizations should perform regular security assessments of their systems,” Muleys advised. “Not just the usual HIPAA compliance assessments, but beyond formal requirements, including practical penetration tests.”

The stakes are just as high for heathcare-related businesses that gather and store data about clients’ health and genetic backgrounds. Companies that work in this space will see an increased level of scrutiny as more data breaches inevitably hit the sector in the coming months and years. Security managers at these enterprises need to keep their data privacy and security strategies front and center in business planning.

Listen to the podcast

 |  |  |  |  |  |  |  |  |  | 
Joan Goodchild
Contributor

More from Healthcare
August 16, 2023

Cost of a data breach 2023: Healthcare industry impacts

3 min read - Data breaches are becoming more costly across all industries, with healthcare in the lead. The 2023 Cost of a Data Breach Report analyzes data collected from March 2022 to March 2023. Healthcare remains a top target for online criminal groups. These data breach costs are the highest of any industry and have increased for the 13th consecutive year. Healthcare is a highly regulated industry that the U.S. government considers critical infrastructure. As such, recent federal privacy standards, security standards and…

June 22, 2023

Cyberattackers target the Latin American health care sector

3 min read - Cyberattacks on the healthcare sector are a growing threat in Latin America, and the large amount of confidential data these organizations handle makes these attacks a top concern. The value of healthcare data in the illegal market, such as the personal, medical and financial information of patients and healthcare companies, creates an appealing target for threat actors. This can have serious consequences for the privacy and information security of these organizations. Cyberattacks could lead to reputational risks, interruption of operations,…

June 1, 2023

Increasingly sophisticated cyberattacks target healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

November 10, 2022

Reporting healthcare cyber incidents under new CIRCIA rules

4 min read - Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022. While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature