Data Security in Healthcare Needs Intensive Care
Healthcare: The Most Breached Industry
Data Breach Frequency:
The healthcare industry recognizes that reported incidents of data breaches are on the rise, and the fallout has a direct impact on the corporate bottom line. Meanwhile, despite stringent data security compliance and reporting requirements, the healthcare industry continues to be targeted by malicious actors. Presumably, the reason for the bullseye placed on the healthcare industry is the detailed information that healthcare providers and their business associates collect, process, transmit, and store.
Electronic Personal Health Information (ePHI) and Electronic Medical Records (EMR) contain all the most valuable information that a malicious actor can sell on the dark web. Name, birth date, social security number are only the tip of the iceberg - even low skilled fraud actors are able to easily monetize such information. However, the additional data points of EMR and ePHI include financial records, health insurance information, and all the aggregate information needed to exponentially increase the value of the data - everything from low level identify theft to advanced insurance fraud is made possible when the prolific amount of hacked data available on the internet underground.
The 2019 Ponemon Cost of a Data Breach Report highlighted the financial impact of data breaches on the healthcare industry, noting that the average total cost of a data breach was $6.45 million, 65% higher than the average total cost of a data breach. In fact, data breaches in the healthcare industry cost more than those in any other industry analyzed. As if that information is not frightening enough, the per record cost to insurance providers is $429 - even when the data is sold for just a few dollars per record in the underground. Moreover, abnormal customer churn after a healthcare data breach was 7%, again, the highest of all the industries reviewed.
Larger Providers Have More Data But Smaller Have Fewer Security Resources
When it comes to compromised organizations, size does not matter. Whether a large healthcare insurance provider or a local private practice, data breach incidents overall for the industry as a whole. Private practices and local clinics found themselves more vulnerable than larger organizations, as smaller practices do not have the resources to retain a full time security team and oftentimes rely solely on a third party IT consultant. A common breach scenario would involve the third party IT consultant being compromised, and since that person services multiple industry specific clients - all the clients would be compromised as well.
A 2018 report by the U.S. Department of Health and Human Services and the Healthcare & Public Health Sector Coordinating Councils highlighted the impact of data breaches on small practices.
- 4 out of 5 US physicians’ offices experienced a data breach.
- An attack on small clinic of under 50 beds compromised an entire hospital Electronic Health Record (EHR) system.
- A single compromised orthopedic practice led to 500 patient profiles being sold on the dark web.
Increases across the board in every category for the healthcare industry indicate that malicious actors target every potential vulnerability to obtain the valuable records stored by providers. Attacks against physicians’ offices and smaller healthcare clinics are on the rise compared to insurance companies, pharmacies, hospitals, and colleges. Malicious actors increasingly target small networks for the purposes of staying under the radar and having more success, as larger enterprises may be more security aware and are looking for malicious activity.
A similar shift from enterprise attacks to small business attacks was observed during the rise of the financial bank fraud trojans in the mid-2000’s. The initial targets were the users of the largest financial institutions. As the years went on, the large banks implemented controls to mitigate the methods employed by malicious actors and the target focused switched to smaller credit unions and smaller financial institutions.
Many smaller practices and providers suffer from rising IT security professional costs arising from the education gap. A 2019 report by the labor market analytics firm Burning Glass Technologies found:
- 94% growth in the number of cybersecurity job listings since 2013
- 2.3 employed cybersecurity workers available per job listing
- 13% of IT jobs were cybersecurity
- $93,540 is the average salary for cybersecurity employees, 16% more than average for all IT jobs
With the high salary that experienced cybersecurity employees can demand in conjunction with their relative low market availability, smaller practices and providers cannot pay or retain the human resources needed to protect their high-value data. Malicious actors recognize this skill deficit and prey on it.
Weak Web Application Security: Digital Transformation Increases Data Breach Risks
Application security, possibly more than any other threat vector, remains healthcare’s greatest cybersecurity weakness. Data aggregated from theU.S. Department of Health and Human Services Office for Civil Rights Breach Portal combined with SecurityScorecard research highlights the impact weak web application security has on patient data security. In the above image, the circle represents the number of affected individuals.
Although highly regulated, the healthcare industry’s adoption of mobile technologies occurred in response to patient requests. Digital transformation and interoperability led to ad hoc and homegrown application creation. As such, the rapid adoption of new technologies created a patchwork quilt based on functionality rather than security. A July 2018 paper in JAIMA Open, detailed the recent increases in data breaches affecting healthcare providers from 2013 through 2017:
- 184 breaches affecting 5, 773,597 patient records in 2013
- 180 breaches affecting 2,051,214 patient records in 2014
- 194 breaches affecting 6,392,806 patient records in 2015
- 256 breaches affecting 12,213,969 patient records in 2016
- 259 breaches affecting 4,328,916 patient records in 2017
Most interestingly, the report notes that in 2017, data breaches of providers accounted for 88.9% of affected patient records. The dip in patient records affected by providers dipped in 2015 because healthcare insurance providers suffered devastating attacks that year. As they tightened their cybersecurity practices, malicious actors refocused their attention on providers and hospitals.
As more healthcare providers incorporate mobile devices and Internet of Things (IoT) devices, malicious actors will increase their focus on these web application vulnerabilities.
Equally important to protecting ePHI is the impact of business associate security. Attacks targeting networks are nothing new nor is the supply chain threat vector. However, increasingly, malicious actors seek to find weaknesses wherever possible.
The drive for interoperability in healthcare increases the impact of third party business associate risk. In early 2019, for example, the Healthcare Information and Management Systems Society (HIMSS) redefined interoperability as the “ability of different information systems, devices or applications to connect, in a coordinated manner, within and across organizational boundaries to access, exchange, and cooperatively use data amongst stakeholders, with the goal of optimizing the health of individuals and populations.” Moreover, the Trusted Exchange Framework and Common Agreement (TEFCA) released a draft proposal in April 2019 indicating that it expected healthcare providers to do a better job balancing patient privacy and sharing patient healthcare information with medical stakeholders such as labs and specialists.
The healthcare industry, therefore, finds itself between the proverbial rock and a hard place. Managing data security while being required to share information with third-party business associates is a direction, not a suggestion.
The SecurityScorecard Network Security factor includes monitoring for vulnerabilities such as open access points, insecure or misconfigured SSL certificates, or database vulnerabilities and security holes that can stem from the lack of proper security measures. Logically, healthcare organizations or business associates with lower network security scores are more likely to have a breach in the network server. SecurityScorecard’s predictive indicators incorporate correlated and uncorrelated data that enable healthcare providers to monitor their business associates’ security profiles and partner with them to enhance ecosystem security.
The lower an organization’s Network Security score, the greater the risk of the organization experiencing a network server breach. From the interoperability perspective, healthcare organizations, providers, and business associates must monitor their upstream and downstream supply chain partners to secure patient data.
For large organizations, securing the network may be easier because they have the resources to obtain the cybersecurity professionals and tools necessary. However, smaller providers, such as college campus health clinics, lack these resources. In order to secure the networks, all healthcare providers and business associates need to invest in continuous monitoring to detect potential risks arising from weak network security controls.
The risk of you getting a breach in the network server is higher than them getting a breach in the network server because your network security score is lower.
Meeting Compliance Requirements Means Maintaining Supply Chain Security
The healthcare industry faces stringent compliance requirements. The Health Insurance Portability and Accountability Act (HIPAA) incorporates both the Security Rule and Privacy Rule. Meanwhile, the Health Information Trust Alliance (HiTRUST) framework enables organizations to follow risk-based control suggestions for complying with the HIPAA Security Rule. Both the regulation and the industry standard require healthcare providers and healthcare plans to monitor their business associate cybersecurity profile.
Interoperability: Sharing Data Responsibly
The increased regulatory compliance focus on business associate cybersecurity appears to be achieving its goal. Business associates exhibited higher average security ratings than either health plans or healthcare providers. Although compliance does not equate to security, creating a holistic, integrated approach to security often eases compliance burdens. In fact, the data in the JAIMA Open article reinforces this as part of its “Other” category noting:
- 77 breaches affecting 1,078,487 patient records in 2013
- 96 breaches affecting 8,496,026 patient records in 2014
- 13 breaches affecting 3,954,463 patient records in 2015
- 20 breaches affecting 3,560,666 patient records in 2016
- 18 breaches affecting 209,876 patient records in 2017
Regulatory requirements forced business associates into strengthening their security postures by impacting market demand. To keep their customers, business associates needed to prove the effectiveness of their cybersecurity controls. Similarly, the decrease in healthcare plan data breaches indicate that market factors may have been a driving force for strengthening cybersecurity controls after the 2015 peak in breaches.
Meanwhile, healthcare providers lag behind their market partners. Despite having the highest post-breach customer churn as an industry, healthcare remains the “most breached” industry.
Looking to the future of compliance, however, the market factors may become drivers in securing ePHI and EMR. Both the European Union Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) establish consumer civil litigation rights in the event of a data breach. These trailblazing regulations may be the harbinger of future laws. The proposed New York Privacy Act, following in the footsteps of India’s Data Protection Act of 2018, incorporated the term “data fiduciary.” As a data fiduciary, the regulations both indicate a strict liability standard for organizations transmitting, processing, storing, and distributing personally identifiable information (PII). In short, healthcare providers, healthcare plans, and their business associates would be automatically liable for any data breach regardless of fault. This could potentially impact the ability of healthcare providers and healthcare plans with less mature security and compliance profiles to find business associates willing to engage in contractual obligations.
SecurityScorecard: Strengthening Security Through Visibility
As the healthcare industry seeks to heal its cybersecurity illness, it needs to find ways of gaining insight into potential threats. Interoperability mandates and increased patient mobile data access decrease visibility across the ecosystem.
SecurityScorecard’s security ratings provide the necessary visibility to help maintain organizational cyber health. Our easy-to-read ratings use an A-F scale across ten factors including Network Security, Web Application Security, IP Reputation, DNS Health, Endpoint Security, Patching Cadence, Hacker Chatter, Leaked Credentials, and Social Engineering. Organizations not only obtain at-a-glance insight into their own security posture but into the security posture of their entire ecosystem.
With more than 2 million organizations monitored in our platform, we provide a rich data set that enables organizations to monitor and compare security posture within an industry or across an ecosystem. Our Custom Cards enable customers to create detailed reviews based on IP addresses to monitor individual business lines, which in the case of healthcare can include labs, clinics, or specialists’ offices.
Finally, our Atlas platform enables you to streamline your vendor and business associate risk management by streamlining the time-consuming questionnaire process. Atlas enables you to securely transmit questionnaires, then aligns the vendors’ responses to the information in our platform, providing real-time verification of answers. Additionally, our machine learning capabilities can use previously submitted responses to fill in new questionnaires so that as the organization needs to incorporate additional compliance requirements, customers and their vendors can streamline the process even further. For more information about how SecurityScorecard can help heal your cybersecurity program, contact us today.