A Summer to Forget for the Healthcare Industry
While we’re amidst the throes of winter, when it comes to cyber security, one industry is happy the summer is long over. It was a pretty bad summer for the healthcare industry and email security and data breaches. An endless stream of bad security news plagued the sector. Among the breaches:
City Of Hope, a cancer treatment center in California, was the victim of a phishing attack in early June , determining only in late July that confidential patient may have been accessed.
Pacific Alliance Medical Center, in Los Angeles, also got hit by ransomware in June.
Family Tree Health Clinic in League City, Texas was also the victim a ransomware attack in late June.
Medical Oncology Hematology Consultants, located in Delaware, was also attacked by ransomware in mid June, but only discovered nearly 3 weeks later. As a response, they did offer free credit monitoring services courtesy of Equifax, among other agencies – in light of more recent events this may have been a bad idea.
In mid-June Launchpoint discovered that an employee had sent protected health information (PHI) to a personal email address as part of an identity theft scheme, potentially compromising as many as 18,000 health insurance enrollees.
There was also St Marks Surgical Center in Fort Myers, Florida, which suffered ransomware attack patients that affected up to 33,000 patients.
That’s only a sampling – To develop a more comprehensive sense of the concerns you may have for your health data, you can go to Health IT Security news and discover more about the regular, frequent attacks cyber criminals conduct on healthcare services providers. This is an excellent resource – and a list you don’t want to see your healthcare service provider name on.
Why’s This Happening?
We wrote a short explainer about this back in February – the reason that healthcare is such an attractive target for breaches and cyber attacks.
Clearly these threats are only continuing to spread, and that’s in large part due to the very high “street price” of medical data. A stolen medical record can be worth 60x a stolen credit card or much more*. The high value, is partially due to $20,000 dollar payout to cyber criminals who use the information in the records successfully.
Interestingly this demand (and proliferation of attacks) has created an excess supply. This has led to a reported drop in street price of the records – and led to an in increase in ransomware, where the payout is immediate and requires less “creativity”.
Much of the healthcare industry is beginning to realize this and investing heavily into their security as a result (call us if you aren’t yet!). But even with these developments, vulnerabilities can always emerge.
Righting the Ship
So, how does a healthcare organization know security is working?
It’s really difficult to quantify the value of protection when a “black swan” type event comes in without any warning and wreaks havoc on your IT infrastructure. Often the victims employ HIPAA compliant (and ePHI) protection for email and other systems, yet still get victimized through human error.
The key here is that it’s difficult to quantify the attacks that haven’t happened (unless you’re a risk management professional of course), but understanding what has happened to other organization can help reinforce what steps to take in preventing the same things from happening to you. Your email security solution – or ours at least – will block greater than 99.95% of all spam, of which a few of those are phishing or ransomware emails. Training and awareness should cover most of the less than .05% that remains. It leaves only a very small risk if you have the solution and programs in place.
We often talk about the majority of cyber attacks being because of human error – but with advances in all elements of security forcing cyber criminals to be creative, it’s clear that attackers are now more interested (or forced) in to taking advantage of human error because that’s where they can see results..
Cyber Secure in the Healthcare Industry…
The healthcare industry is highly vulnerable to ransomware, phishing threats, and even internal employee threats and data loss that could be prevented with the right education and protection. Not only do industry member organizations need to focus on HIPAA compliance, but also protect their users and employees from being targeted by and falling victim to phishing emails, malicious urls and attachments, ransomware (including where not delivered by email) and other email-borne malware.
Now, records falling off the back of trucks and people losing laptops…that’s a real challenge.
*Note: there’s a variation in reported street value of the records – our quick research has it valued at anywhere from $1.50$ to $1000s. It is appears evident from any research we’ve seen, that due to its sensitivity and value in committing fraud, health data is much more valuable than other data when illicitly obtained.