What makes the healthcare industry such a hot target for hackers? The answer lies in the records that they keep. Medical records contain some of the most valuable personal information — social security numbers, birth and death dates, family information, billing information including credit card data — that allow hackers to gain full reign on a person’s identity and do some major damage. Just like any other business, even in hacking it boils down to the bottom line, and hackers want the most payout for their efforts. Healthcare organizations are the latest gold mine.
Yet, so many organizations are doing a poor job of protecting patient data. According to the Identity Theft Resource Center 2011 Breach Stats Report, 20 percent of all data breaches reported in 2011 were in the healthcare industry; the Privacy Rights Clearinghouse pegged this number at 33 percent in 2011. So, anywhere from one-fifth to one-third of data breaches last year were at healthcare organizations – that’s significant.
What’s more, we continue to see that hackers use simple methods for most breaches. Organizations that lack firewalls leave ports open to the Internet or use easy-to-guess passwords are a prime target for hackers.
Complicating things further is demand for anytime, anywhere access to health information. Patients want to access their records online, but also want their information to be completely secure. At the same time, healthcare providers want access to patients’ records on tablet computers, laptops and smartphones in order to provide better quality care and to be more productive. The desire for this type of access is certainly reasonable, but it comes with greater responsibility to protect data wherever it is stored or used.
While most hackers access valuable information through holes in a company’s network, a lost or stolen device in the wrong hands is a menacing threat. Symantec recently conducted a study on what happens with smartphones lost in public places, called the Honey Stick Project. We found that only 50 percent of the people who found the phones contacted the owner, and 83 percent accessed corporate-related apps and information.
And, it doesn’t matter if the patient data on a lost laptop, tablet PC, smartphone or backup tape, is ever used to steal someone’s identity because it’s still a data breach in the eyes of regulators and patients. Regulators are starting to crackdown on healthcare organizations that fail to protect patient data under HIPAA and HITECH Act. But even before any fines are levied, breaches take a hefty toll on healthcare organizations, costing $240 per record (nearly 25 percent more than average across all industries), according to the 2011 Ponemon Cost of a Data Breach study. A large part of this cost is lost business. Patients are less tolerant of data breaches of their personal health information and they’re more likely to abandon the organization after a data breach — the healthcare industry had the third highest churn rate of the 14 industries in the study.
Ultimately, the latest string of healthcare data breaches should serve as yet another wake-up call. While healthcare organizations face a growing number of security threats, you can improve your security posture by following these best practices:
- Assess risks by identifying and classifying confidential information
- Educate employees on information protection policies and procedures (such as streamlined social media profiles), then hold them accountable
- Implement an integrated security solution that includes reputation-based security, proactive threat protection, firewall and intrusion prevention in order to keep malware off endpoints
- Deploy data loss prevention technologies which enable policy compliance and enforcement
- Proactively encrypt laptops to minimize consequences of a lost device
- Implement two-factor authentication (Ex. VPN plus strong user name and password)
- Integrate information protection practices into businesses processes
Following these best practices can keep your patient data secure and protected against hackers. Healthcare providers always strive to provide the very best care for their patients; shouldn’t the same care be given to protecting their medical records?
* Originally posted on Symantec's In Defense of Data blog on June 5, 2012