Healthcare organizations are certainly not immune to cyber attacks. Sensitive data and personal health information (PHI) contained in patient records are often the ultimate target and can be extremely valuable to hackers. In this guest post, Nick Owen, president of a two-factor authentication provider, explains what make this data so valuable and how two-factor authentication can help protect it.
Attacks on healthcare organizations increased 72% between 2013 and 2014, and that percentage is expected to grow even more as we look back at 2015, according to industry analyst firm the Aberdeen Group.
What makes PHI data so valuable to hackers?
Because patient records contain numerous pieces of personal information, including names, addresses, birthdates, Social Security, driver’s license and medical plan numbers, they can be sold for $343 each, according to the Ponemon Institute. The Aberdeen Group reports that such records can go for $500 per patient and security firm RedJack found a set of Medicare ID numbers for 10 beneficiaries being sold online for 22 bitcoins, or about $4,700. Compare that to a stolen credit card number that goes for just a few dollars or even a few cents.
Much of this stolen data is showing up on the dark web, where cyber criminals conduct business, and once it’s out there it can’t be undone. A credit card can be cancelled and fraudulent charges reversed, whereas PHI is non-recoverable. Hackers are also well aware that it’s still fairly easy to steal since most healthcare organizations are lagging behind the retail and financial services industries – their first major targets – in implementing adequate protection. The sheer number of 2015 data breaches shows that cybercriminals are getting around perimeter security defenses in all types of healthcare organizations.
Let’s look at some additional telling statistics:
- In the first 10 months of 2015, unsecured PHI held by 200 companies in the healthcare industry was breached, ranging from 500 to 788 million records stolen per organization. (Source: Department of Health and Human Services Office for Civil Rights Breach Portal)
- Over the last two years, more than 90% of healthcare providers experienced a security breach and 40% had more than five data breaches during that time. The average cost of a security breach in healthcare organizations exceeds $2.1 million. (Source: Ponemon Institute)
- In the largest healthcare company breach to date, 788 million Americans’ personal information was stolen from health insurance company Anthem in January 2015 when network credentials of at least five employees with high-level IT access were compromised. (LA Times)
With the number of healthcare industry breaches accelerating and affecting companies, ranging in size from single practitioner dental and medical offices to large hospitals and insurance companies, the federal government is getting dead serious about data security. The latest HIPAA regulations are decidedly more stringent with specific security safeguard requirements for protecting PHI, including requiring identity verification to access patient records. The Office of Civil Rights (OCR) will start doing HIPAA compliance audits in a few months similar to the Payment Card Industry (PCI) annual audits for merchants.
Added risk of the mobile healthcare workforce
With the overwhelming prevalence of smartphones and tablets on our daily lives, it’s no wonder that an estimated 85% of the U.S. healthcare workforce is using personal mobile devices to access patient records, according to a study published in the Journal of Hospital Librarianship.
Mobile computing and Bring Your Own Device (BYOD), outsourced services, the Internet, social media, cloud-based applications and virtual gateways to patient data create security risks and HIPAA compliance challenges that can’t be addressed through traditional solutions. Stolen unsecured smartphones, tablets and laptops provide a direct path to patient data.
In a recent study by the Ponemon Institute, 96% of respondents reported suffering a data security incident involving a lost or stolen device. In addition to damaging an organization’s reputation, a breach is expensive. For example, in May 2015 Columbia University and New York-Presbyterian Hospital were fined a combined $4.8 million for HIPAA violations when a doctor disconnected his personal computer from the hospital network, leaving patient information vulnerable to discovery through Internet search engines.
The proliferation of mobile computing, combined with the new HIPAA guidelines requiring healthcare workers to verify their identities before accessing patient data, is causing healthcare organizations to seriously consider alternatives to basic password protection. In June, for example, the Department of Veterans Affairs (VA) issued a memo requiring two-factor authentication for local and network access to privileged accounts. Two-factor authentication isn’t a new technology. It’s been used for decades by organizations intent on beefing up security to access sensitive information stored on corporate servers behind the firewall.
Two-factor authentication plays well with firewalls, data encryption and other types of technical, physical and administrative safeguards. It also works with firewall protection to prevent hackers from using a stolen device to infiltrate the network while fulfilling the HIPAA requirement for identity verification. The challenge is to select a two-factor authentication solution that is palatable and easy to use, while satisfying an organization’s need for a high-level of security and reliability, all at a price point that makes it realistic to roll out. Ideally, it should also be easy to install, implement, use and maintain.
Some two-factor authentication solutions also allow organizations to lock down the privileged access granted to system and network administrators. This prevents hackers from escalating their attacks by stealing admin credentials, which enables them to install software that gives them direct access to the network and patient data, such as what happened in the massive Anthem breach.
What does the future hold?
One thing is certain, the healthcare workforce is increasingly mobile and the risks associated with that are large. Healthcare organizations have no choice but to look at alternative means to secure and protect data or face the serious consequences of a data breach.
Looking beyond password protection is a great place to start. How will you secure sensitive data and PHI in 2016?
Nick Owen is president of WiKID Systems Inc., a provider of two-factor authentication that helps organizations guard against unauthorized access to sensitive data.