Healthcare-related data breaches often make headlines. And these past few years, they have become commonplace. Unknown to most people, these breaches comprise a grim reality that most healthcare institutions are facing today.
The healthcare industry has always been a lucrative target for enterprising cyberhackers who want our healthcare data because it happens to have a long shelf life. It also costs more than financial data in underground marketplaces. A study, in fact, revealed that each electronic health record (EHR) earns criminals around US$429, more than double the average of US$150 for other personal record types. Other industry statistics, meanwhile, revealed that incomplete health records cost US$50 as opposed to only US$1 per credit card number.
If you do the math, that could net criminals a hefty amount, considering that the number of patients impacted by just one breach number by the millions. For instance, the Anthem breach compromised the records of more than 78 million people. That also meant risks to their identities should criminals use the stolen data for fraudulent activities.
The Impact of Data Breaches
The financial consequences and reputational damage that hacking incidents inflict on healthcare providers are devastating, putting some at risk of closing shop. According to the same report cited above, the average cost of a data breach among healthcare organizations globally in 2019 was US$6.45 million.
The amount lost depends on various factors, including the type of incident and how large an organization is. Often, smaller businesses feel the impact of breaches most. Smaller healthcare players with less than 500 employees suffer losses amounting to US$2.5 million per incident.
The report also cited the loss of business due to customer attrition as the most significant effect on the affected companies. Estimates reveal that the attrition rate lies at 3.9% following a breach.
Common Causes of Data Breaches
System malfunctions or vulnerabilities and human error are the chief reasons behind healthcare breaches. No phishing and ransomware attacks, after all, would succeed if security vulnerabilities or insider threats don’t exist within a network.
Poor tech hygiene is also a recurring theme among victims. Phishing or email hijacking attacks, for instance, occur when healthcare employees open a suspicious email and download a malware-infected file attachment. Ransomware are often also installed on compromised systems in the same way.
In fact, a spate of ransomware attacks has been plaguing the industry. In 2019, many hospitals and clinics from Ohio, Utah, Alabama, and California fell victim to ransomware attacks. The malicious programs encrypted not only patient records but providers’ entire IT infrastructure as well. Such attacks are dangerous as they could put critical patients who need immediate help at risk.
Healthcare Cybersecurity: Overcoming Future Challenges
Experts surmise that state-sponsored hackers and cyberespionage groups are responsible for most breaches. The fact that some governments back up criminals to do their bidding can be a bit unsettling. It undeniably makes it more difficult for healthcare companies without sufficient resources to defend themselves against attacks.
Is there anything providers can do to fend off attacks? There are, of course, several ways that healthcare companies can build up their resilience against attacks such as:
- First and foremost, organizations should perform a thorough risk assessment of their supply chain and third-party affiliates. They should conduct an extensive review of their compliance programs and find areas where they’re lacking.
- Second, they should beef up their security posture by empowering IT teams with training and the latest cybersecurity research, endpoint detection, and threat intelligence tools. Healthcare companies should also implement a robust cybersecurity strategy.
- Finally, healthcare organizations should educate non-tech-savvy employees about cybersecurity. People who are not knowledgeable about threats should be made more aware and taught to handle unsolicited emails and practice good tech hygiene.
There is no doubt that the healthcare industry is under siege by more prominent and more resourceful cyber adversaries. However, it’s not entirely hopeless. By revisiting their cybersecurity practices and establishing better strategies, they can shore up their defenses against malicious and costly attacks.