Nine out of 10 health care organizations have been breached since 2013.
That is a mind-boggling statistic. And it gets worse. According to Trustwave’s 2015 Security Health Check Report, hackers are causing some costly damage:
[T]he number of individuals who have had their medical records compromised has doubled in the past five years. All told, cybercriminals are wreaking $6 billion in annual damage on America’s largest private-sector industry.
The Trustwave study is just the latest one to report on the serious security issues within the health care industry. An eSecurity Planet article reported on a health care study conducted by Raytheon/Websense, which found that:
[T]he health care industry experiences 340 percent more security incidents and attacks than most other industries.
In addition, another study, this one by KPMG, found that approximately eight in 10 health care institutions admitted that they had dealt with security issues like malware and cyberattacks over the past two years.
Why is health care such a huge target? According to the Trustwave study, several factors are at play: Medical records are increasingly available online, connected devices and the cloud provide a wider attack area and, perhaps most importantly, health care data is financially valuable to cybercriminals. The health care infrastructure is also an easy target because it is often outdated and vulnerable.
Also, few industries have the vast amount of data that the health care industry holds. I think it would be fair to say that almost every person has a health record on file somewhere, even if it has been years since the last doctor’s appointment. That alone would be 300 million records ripe for picking, each with varying layers of information available to be compromised. No wonder cybercriminals see it as a gold mine.
So what can be done to curb the cyberthreats against the health care industry? The easy answer is to upgrade the IT infrastructure to something more secure, but that’s expensive and takes time. Security Intelligence provided a couple of suggestions to the health care industry: regular risk assessments and better employee security training. This sounds like the type of thing I would suggest. But I’ll take it one step further: Industry leaders need to get on board and begin taking security a lot more seriously. Until they do, there will be no budget or support to upgrade security needs, and frankly, this is data that is too important to leave unprotected.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba