Last year was not a good one for the healthcare industry’s security reputation. A quick Google search will unearth countless news articles focused on data breaches in healthcare from across the globe. In the UK, cyber attacks and data breaches hit the NHS hard, while private healthcare providers in the US, UK and Australia all suffered at the hands of hackers.
US Healthcare Data Breaches
In the third quarter of 2018 alone, 117 health data breaches in the US affected the records of 4.4 million patients. Those figures dwarfed the (already-shocking) numbers reported in the first two quarters of the year, with 110 breaches affecting 1.13 million patient records in Q1 and 142 breaches affecting 3.15 million records in Q2. The largest US healthcare data breach of 2018 affected 2.65 million patients of billing vendor, AccuDoc Solutions (which prepares bills for Atrium Health), over a week-long attack at the end of September 2018, where hackers were able to view (though not extract) data right up until October, when Atrium Health was notified of the breach.
Health Data Breaches in Australia
In Australia, it was reported that the private healthcare and financial sectors were bearing the main brunt of cyber attacks across all industries in Q2 of 2018. In that quarter alone, the private health sector in Australia experienced 49 breaches, 20 of which were due to malicious attack (and the rest due to human error).
Data Breaches in UK Healthcare
The UK’s National Health Service (NHS), which famously hit the headlines for the 2017 WannaCry attack that cost £92 million (approximately £19m of lost output and £73m in IT costs), didn’t escape in 2018, either. In July 2018, the BBC reported a data breach that exposed confidential information of 150,000 patients. The breach was put down to a ‘coding error’ within the SystmOne software, which junior health minister Jackie Doyle-Price insisted would be prevented from happening again by the introduction of a new national data opt-out program.
UK private health insurance provider Bupa was fined over £100,000 by the ICO (Information Commissioner’s Office) for the theft of personal information of 547,000 customers by an employee, which was subsequently put up for sale on the dark web.
So what’s going on here? Why are health records such a target for cyber attack, and how come there are so many breaches due to ‘human error’?
1. Outdated Systems
One of the most significant reasons for the prevalence of breaches in healthcare, unfortunately, is the use of outdated security, antivirus and management software systems. Many healthcare organizations have moved quickly from legacy systems to newer technologies, but with a constant influx of new data, it's difficult for them to transition to new systems without widespread disruption or to fully integrate old systems with modern security measures. The networks involved are incredibly complex, with one of the major failures being the lack of a centralized location for oversight.
In short, there is no one able to keep tabs on the whole system from one place. A gradual movement over to cloud storage is helping alleviate this problem (though it introduces security risks of its own), but without up-to-date processes in place now, vulnerabilities persist.
2. Connected Tech
As medical technology advances, more and more equipment becomes digitized and connected to deliver real-time data and improved patient care. But more connected tech = more entry points for hackers and leaks. Better visibility over who has access to which data and systems, and what they do with that access, would certainly help. From 3rd-party providers updating major equipment software to doctors accessing patient records, healthcare technology is easily exploited by malicious attackers, resulting in devastating amounts of downtime as well as the risk to patient data - or health.
3. Lucrative Data
Healthcare records themselves are a coveted target for attackers. A single patient’s health record can go for as much as $50. With millions stored in one vulnerable system, an attacker can stand to earn a lot of money on the dark web. Healthcare records are a treasure trove of personal information, including names and addresses, social security numbers, and birth dates, among other valuable details, the likes of which it is hard to gain so neatly anywhere else. Everything an identity thief needs to do business.
Clearly, given the statistics above, breaches in healthcare data are much more common than they should be, and much too easy to commit. Unfortunately, despite the countless breaches that have taken place in recent years, providers are still failing to prioritize data security, even in the face of massive fines.
If these providers were to begin by taking control of access to their systems, they could mitigate the risks considerably. Insider attacks and human error account for a large proportion of healthcare data breaches, so it is simply common sense that privileged access management is key to significantly reducing the attack surface in one fell swoop. Granted, we are looking here at incredibly complex and often outdated systems, but adopting a PAM system such as the WALLIX Bastion would keep things simple and straightforward, protecting critical healthcare assets from breach.