The healthcare industry is a major target for cyber criminals and remains vulnerable to data breaches. Medical practitioners, hospital systems, insurance providers, pharmaceutical companies, and other healthcare-related organizations have suffered costly breaches and remain constantly at high risk.
For example, a 2016 report from the HIPAA Journal reports on some of the major breaches involving millions of patient records. But even when breaches occur on a smaller scale, they endanger patients, violate HIPAA regulations, and damage the trust the public places in healthcare organizations (not to mention extract steep financial costs from the organization itself).
IBM reportedly referred to the healthcare industry as “a leaky vessel in a stormy sea.” Cyber criminals are strongly tempted by its cargo, which includes:
- All kinds of financial information, such as credit card numbers and bank account details.
- Additional personal identifiers, including Social Security numbers, birthdays, and insurance ID numbers.
- Contact information including home addresses, phone numbers, and emails.
- Log-in authorizations such as passwords and user names.
- Confidential data about medical conditions and other health-related issue.
Criminals can readily sell this information or use it directly to perpetrate identity theft and other crimes. The more information they can piece together about any individual, the more likely it is they’ll succeed in using that identity for nefarious purposes.
Unfortunately, healthcare organizations often prove easy targets for the following reasons:
- The reliance on an outdated IT set-up. Older hardware and outdated software often lack protections found in more recent upgraded versions; they can prove more vulnerable to hacking. For example, if a medical practitioner’s website uses a version of a content management system that doesn’t contain recent security patches, hackers can more easily inject malicious code into it. They can steal or tamper with information from the site’s database and infect computing devices used by patients and medical staff.
- Inadequate IT support. In spite of the wide-ranging threats health organizations face, many of them still don’t have sufficient IT support, particularly from IT professionals with cyber security expertise. Powerful IT support can help prevent cyber attacks or contain and minimize them once they’re underway. IT professionals can evaluate systems for vulnerabilities and come up with cyber defenses tailored to a particular organization. They’ll also anticipate future vulnerabilities and help prepare for them.
- Employee errors. Employees in the healthcare industry need to undergo comprehensive cyber security training, not simply for HIPAA compliance but more generally for safe computing habits. For example, all it takes for an organization to suffer a crippling ransomware attack is for an employee to carelessly download an email attachment or get tricked by a phishing attack.
- Vulnerability to third-party vendors. Healthcare organizations usually operate in collaboration with a number of vendors. A 2016 article from Healthcare IT News highlights the dangers of vendors who have poor security policies and measures. Even if a healthcare organization has top-notch cyber security, it could still compromise patient information by sharing it with a collaborating organization that falls short on cyber defenses.
- Security weaknesses in new healthcare technologies. Cyber criminals are always on the lookout for new avenues of attack. These include healthcare transactions and information delivered through websites and smartphone apps. It also includes exploiting security holes in new kinds of devices, such as pacemakers capable of wireless communications. The Internet of Things (networks of Internet-enabled devices) has become part of the healthcare industry and may leave patients open to hacking and even life-threatening situations.
These are the main reasons the healthcare industry remains a prime target for cyber criminals. It’s imperative that organizations handling patient data develop comprehensive cyber security plans and rely on high-quality defenses to safeguard their data and their systems.