The healthcare industry is undeniably a target of cybercriminals. With the increased usage of electronic health records, healthcare organizations have large volumes of data stored in data centers, on employee devices and sent through email. However, these businesses should not be expected to stop what they are doing and find new methods. Instead they need to find solutions to data breaches such as email encryption programs, third-party security services and, most importantly, invest in new computer systems with up-to-date security features.
Even if healthcare organizations take all the precautions necessary to mitigate intrusions, cybercriminals will still launch attacks in an attempt to steal patients' information. The key is prevention, building up a defense that cannot be breached. What is strange, however, is that just under a majority of intrusion attempts are on healthcare organizations. The Identity Theft Resource Center found that 43.8 percent of reported data breaches occurred in the healthcare sector during 2013. Compared to 2012 findings, attacks are only increasing in frequency. This leaves many questioning why the healthcare industry is so prone to intrusion attempts.
Why are hackers targeting healthcare organizations?
While there might be many reasons behind attacks on the healthcare sector, a few stand out. Opportunity plays a large role. Dark Reading contributor Lysa Myers reported that healthcare organizations just do not spend enough on security. Their role in society is to provide for patients, not protect their medical information. So, spending is more likely to be focused on improving medical equipment, hiring doctors and purchasing cutting-edge medications. MRI machines are not exactly cheap, but they are required for large healthcare providers. Myers wrote that many of these organizations follow the Health Insurance Portability and Accountability Act exactly as it states, but they only do this to avoid fines post-data breach, rather than implementing security measures above and beyond HIPAA compliance.
Old computers and operating systems are another reason why opportunities to steal data from healthcare organizations are perfect. Information Security Buzz cited a NetMarketShare study that found 30 percent of healthcare employees' PCs were still running Windows XP as of February 2014. If that is how many computers use the 13-year old operating systems, just consider what medical devices could be based on. To add insult to injury, Microsoft no longer provides support for Windows XP, which means any vulnerabilities are there to stay. Cybercriminals could focus on creating viruses, spyware and malware for Windows XP, and there is little healthcare organizations can do to protect themselves outside of constantly monitoring every medical device and computer.
All about the money
The combination of a lack of brevity and legacy systems is perfect for cybercriminals, but that does not explain why they would even bother trying to infiltrate healthcare systems. No, it is not for street - or Internet - credibility. Hackers can make a lot of money off patient records, even more than credit card numbers. Reuters reported that stolen health credentials can be sold for around $10 each, while a U.S. citizen's credit card information will only net approximately $1 or even 50 cents. Now, consider how long it took the public to be notified of the Community Health Systems data breach. There is ample time for cybercriminals or their cohorts to use the stolen information, while credit cards are typically canceled right away. Community Health Systems experienced a breach of 4.5 million patients. This means that the successful hacker could have earned up to $45 million. That right there is why cybercriminals target healthcare organizations.
Losing data and revenue
While hackers are earning large sums of money, the healthcare providers that they steal from are experiencing massive fees due to intrusions. The Ponemon Institute recently conducted a study that discovered the costs of a data breach have increased 96 percent in the past five years. Now, the average amount of revenue spent on a single cybercrime incident is $12.7 million, and depending on the amount of information stolen and the time it took to find out about the breach, the cost can vary from $1.6 million to $61 million. Additionally, it seems that cost of trying the prevent the breach is money much more well spent than that invested after an intrusion. The Ponemon Institute found that detection and recovery are the most costly internal activities, as they account for 49 percent of the total spending associated with data protection.
"Business disruption, information loss and the time it takes to detect a breach collectively represented the highest cost to organizations experiencing a breach," said Larry Ponemon, chairman and founder of Ponemon Institute.
Working with cloud and email security providers is best way to avoid experiencing a data breach and the massive fees that these cause. Action rather than reaction will be a healthcare organization's easiest method for mitigating the chances of an intrusion.
David Bailey is Senior Vice President at Protected Trust.
Protected Trust is a sponsor of the Print4Pay Hotel. I urge members and readers to visit their site to see their full line of products and services. More and more we need to provide well rounded strategic solutions for our customers. Protected Trust offers some unique solutions that can help us in our day to day efforts. Check them out here.