More than 750 data breaches occurred in 2015, the top seven of which opened over 193 million personal records to fraud and identity theft. The top three breaches of data security were from the health care industry.
The largest health care breach ever recorded was that of the health insurance company, Anthem. The breach exposed the personal records — including names, birth dates, Social Security numbers, home addresses and other personal info — of 78.8 million current and former members and employees of Anthem.
Other major health care cyber attacks and data breaches include Excellus BlueCross BlueShield and Premera Blue Cross. These breaches alone exposed the information of more than 21 million members.
The attacks didn’t stop in 2015. In June 2016 alone, more than 11 million health care records were exposed because of cyber attacks. According to a new survey conducted by Ponemon, the private research institute, the average cost to health care organizations per record breached is $355, compared to $158 per lost or stolen record in other industries. The average total cost of a data breach for the 383 companies who participated in the Ponemon research was $4 million. Looking at these numbers, it is obvious that cyber and data security is a major concern to health care.
The Stolen Health Data Market
Stolen health care data fetches a smaller price than stolen financial records, so the motivations behind stealing and selling bulk medical data are unclear. However, according to a “Health Warning” report by the Intel Security McAfee Labs, cybercriminals are putting more time and resources into exploiting and monetizing health care data.
Financial data can quickly become unusable after being stolen, because people can quickly change their credit card numbers. But medical data are not perishable, which makes them particularly valuable. Some in the medical industry speculate that medical data could grow to rival or surpass financial data in value on the black market; but research by Intel Security in 2016 has shown that this is not yet the case. So far, the most valuable data targeted by cybercriminals is pharmaceutical and biotech intellectual property.
Understanding and Combating the Threat
These trends regarding data breaches look grim, but experts are working on ways to stop these breaches. The health care industry is comparatively unprepared when it comes to data security. Confronting the problem involves not only understanding the threat, but being proactive with combating it, which means not only solving old problems but racing to protect against new ones.
The FDA recently issued new guidelines for data security in medical devices. Security in medical devices could pose a unique threat because of their technological diversity. Medical devices — everything from health applications on a smartphone to insulin pumps — are increasingly networked, leaving unique openings for hackers. If exploited, these openings could lead not only to data breaches but to fatalities in people relying on medical devices.
The guidelines issued previously by the FDA suggested that stricter security measures should be taken before devices come to market, but the new guidelines focus on security vulnerabilities after devices are available to consumers. The guidelines recommend that device manufacturers should develop better channels of communication to ensure that vulnerabilities can be identified and fixed once the device is on the market.
According to the HIPAA journal, 91 percent of cyber attacks come from phishing emails. Often phishing emails are personalized — they may come from somebody who is ostensibly a business associate, with an urgent subject line and an attached document that allows a virus infection. People with large workloads are more likely to blindly click on these emails In order to remedy this problem, proper training is required for maximal computer literacy. In other words, the key to dramatically reducing security breaches could simply be a matter of designing, implementing and testing proper data security training.
But for the attacks that are more sophisticated in exploiting existing data vulnerabilities in health care, new forward-thinking techniques for protecting medical data are necessary. Health care institutions, business associates, and health care technology purveyors all need to keep lines of communication constantly open in order to keep abreast of evolving security risks and their solutions.
The risks and costs associated with health care data security breaches are too high, and the confidential, personal health data of millions are at risk. This makes data security health care’s biggest concern today, and a problem for which innovation and communication are of the utmost importance.
The University of Illinois at Chicago delivers some of the most innovative and comprehensive Health Informatics and Health Information Management programs in the country. Our advanced degree and certificate programs can prepare you to make an immediate impact within your organization and play a vital role in the evolution of the healthcare industry as a whole.
Spok, “The Healthcare CIO Perspective on Supporting Clinical Workflows”
Healthcare IT News, “7 largest data breaches of 2015”
Healthcare IT News, “Cost of data breaches climbs to $4 million as healthcare incidents are most expensive, Ponemon finds”
HIPAA Journal, FDA Issues Final Cybersecurity Guidance for Medical Device Manufacturers
HIPAA Journal, “Security Risks of Unencrypted Pages Evaluated”
HIPAA Journal, “Phishing Emails Used in 91% of Cyberattacks”