The healthcare cybersecurity market is expanding at an incredible rate. An April 2016 Grand View Research report projected that the scope of the industry would reach $10.85 billion by 2022. That may sound high, but it now looks like it was an underestimate: a February 2018 analysis released by Market Research Future predicts that health information technology (HIT) security will rise at a compound annual growth rate (CAGR) of 22% through 2022, ballooning from $4.8 billion to $15.82 billion.
Whenever there is a large amount of money being made off a product or service, especially when that product or service’s sales are directly tied to feelings of threat or fear about security, it is reasonable to wonder the extent to which it is really needed. For example, consider the importance of making certain that your computerized maintenance management system (CMMS) is Health Insurance Portability and Accountability Act (HIPAA) compliant.
Is the security concern related to healthcare data – of protected health information (PHI) being corrupted, hijacked, or stolen – based on reality or hype from vested interests? This article answers that question, reviewing recent breach statistics and a report from Harvard University assessing cyber threats related to healthcare.
Healthcare threats rise & shift focus
There were more data breaches recorded throughout industry during the first six months of 2016 than for any other previous year: a total of 791, according to a July 2017 report from the Identity Theft Resource Center (ITRC). The number of logged incidents is 29% higher than the number for the same six-month stretch of 2016.
Healthcare was specifically a very popular target of hackers and a vertical likely to experience data compromise. Related to cyberattacks, the average healthcare organization within the Ponemon Institute’s “State of Cybersecurity in Healthcare Organizations in 2016” report experienced nearly one per month during the 12 months prior to the poll. The portion of that population that reported they had seen data either lost or compromised during that previous year was, incredibly, 48%.
Looking at the entire segment, data breaches reported by healthcare entities to the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) rose during 2017, from 450 in 2016 to 477 in 2017. However, the one piece of seemingly positive news is that the number of patient records impacted by these breaches is plummeting, with 80% fewer records exposed (falling from 27.3 million to 5.6 million).
Why would a decline in records exposed, clearly positive for patients, not be the best news for everyone involved? The smaller number of records is the result of a shifted focus from large enterprises to smaller healthcare organizations.
The small-scale accounts have been increasing in tandem with a rise in ransomware, which has seen an 89 percent hike in incidents between 2016 and 2017, per a January 2018 report featured in Healthcare Informatics. The study also sourced its figures from information on breaches collected by the HHS. The analysis found that there were 24% more hacking or IT incidents reported during 2017 than in 2016 (rising from 113 to 140).
Again, ransomware was central to this increase in general IT incidents/hacking events. While there were only 19 instances of ransomware reported to the HHS in 2016, that figure nearly doubled in 2017, increasing to 36. That bump in ransomware reports meant that 1 in every 4 events that firms report to the HHS and that are categorized as hacking/IT incidents are ransomware. Furthermore, ransomware was responsible for every single one of the six largest record breaches reported during 2017.
The report noted that the lower number of records breached compared to the previous year marked a turn from larges enterprises toward greater focus on smaller players.
Harvard: broader look at healthcare threat landscape
The increase in ransomware is just one angle on how the safety and confidentiality of healthcare data is at risk. This issue is complex and is a topic that is addressed not just by corporations but by academics. A report from Harvard University, published in January 2017, noted that the threat to PHI was becoming even more pronounced in part because of two internal errors: computer systems being used improperly by personnel (due to insufficient training) and a lack of proper defense technologies (due to a failure to allot a high enough budget for security tools and administration).
At the same time these internal issues have become more apparent, the population of potential attackers and diversity of different cybercriminal actors have both increased via broader access to for-hire hacking software and other elements of what the researchers call “the democratization of hacking techniques.”
Another factor at play, according to the Harvard authors, was based on two facts: healthcare data is worth a lot of money, and it is relatively simple to steal information from the sector.
“[T]he healthcare industry is behind other industries in protecting its infrastructure” as well as its data, according to a 2015 report from accounting firm KPMG. That same issue still characterizes the market today.
Cyber threat typology
There are two basic forms of cyberattack that are used against healthcare companies: untargeted and targeted.
Untargeted attacks are efforts to generally try to get healthcare records. It is simply a matter of considering the cost-benefit of going for the records at one organization versus another – a simple analysis of how many health records are within a system and how challenging it will be to steal them (i.e., how many security protections are in place). Attacks that are untargeted may also be used to assault patients. For example, a terrorist will first look at the cost of breaching a system and potential gain before attacking a large pool of medical devices.
Targeted attacks go after specific data. The attackers know what they are attempting to do and the nature of the environment, using those details to form their budget and strategy. One example tactic by a cybercriminal is to send the targeted organization blackmail, with details from PHI. This strategy will usuallly yield more money than the attacker would get selling it to unrelated parties. Because the attacker knows the great value of records obtained via targeted efforts, they will work hard to get it and will keep trying workarounds if they are having difficulty entering the system, for example, one protected by HIPAA managed hosting.
Top healthcare adversaries
The value of electronic health record data on the black market has skyrocketed, leading to a more diverse spectrum of attackers with more refined skillsets. The types of attacker profiles that a healthcare entity is likely to encounter are the following:
- Individuals & small hacker teams – Typically these actors may want to make a name for themselves and/or get money.
- Political organizations – Adversaries within this category are conducting hacktivism for political and sometimes financial reward.
- Crime rings – These teams are looking to obtain money, often via coercion, extortion, or blackmail. They may try to get specific health records related to a targeted individual or sell health records in bulk.
- Terrorists – This type of attacker wants to make people afraid and bring about damage to individuals.
- Nation-state criminals – These attackers may want to threaten or hurt people. They could additionally want to get health records in volume to perform fraud at a larger scale.
Prioritizing security & HIPAA compliance
In the context of a threat landscape that is evolving and broadening, healthcare security and compliance must be prioritized. Reducing your risk is not just about looking at your own systems but those beyond your own walls. Be certain that your CMMS provider and other business associates, like your HIPAA hosting provider, are as concerned about the security of your data as you are.