Following the recent Anthem data breach, data security is back in the national spotlight. Healthcare data breaches not only create financial vulnerabilities for companies and consumers, but they can also pose serious medical threats due to tampered medical histories of affected patients.
While healthcare data breaches have not received as much media attention as hacks against the recent Sony or Target hacks, healthcare breaches could potentially have much greater personal affect than hacks perpetrated in other industries.
What Makes Healthcare Data so Vulnerable?
Although data breaches in any industry pose great threats, healthcare data breaches have the potential to inflict greater financial and personal consequences on clients and companies. Here are some of the main concerns when it comes to healthcare breaches.
1. Health companies face unique challenges in transferring health records securely.
Many healthcare companies are still inexperienced in upholding and maintaining the secure transfers of their Electronic Health Records (EHRs), and subsequently their records may be more vulnerable. While these healthcare companies may have the necessary technology to create secure records, others are still inexperienced in the necessary security practices to withstand trained hackers.
Astute healthcare companies, however, have found solutions from suitably qualified partners in using security certificates created specifically for the healthcare industry. DigiCert is certified to issue Direct certificates—PKI certificates built specifically for the healthcare industry. As the first company to issue Direct-compliant FBCA Certificates and as a founding member of DirectTrust, DigiCert has made securing health records a top priority.
2. Healthcare companies need to refocus their infrastructure to protect against breaches.
Many healthcare companies are still learning how to protect and prevent against data breaches. Unlike credit card companies and banks that have established measures of quickly recognizing fraudulent activity and putting a stop to it, healthcare companies can take months to notice errors—if they notice them at all.
According to Lynn Dunbrack, research VP at IDC Health Insights, “Cybercriminals tend to think of healthcare organizations as soft targets. Historically, they haven’t invested much in IT, and security specifically.” Knowing that healthcare companies are seen as easier targets should give these companies the necessary motivation to improve their security practices.
3. The consequences of healthcare breaches are much more severe.
While the consequences of identity theft can be expensive and frightening, the impact of healthcare data breaches are often more expensive and may even have the potential to be lethal. According to estimates found in CSO’s recent article, “The average profit [for healthcare identity theft] per record is $20,000—compared to just $2,000 for regular identity theft.” This estimate is just one of the reasons that healthcare data breaches pose more threats to individuals.
In addition to the financial threat, many hackers of healthcare records are tampering with these medical records in order to make a higher profit (mostly through the reselling of prescription drugs). While the consequences of hacks related to accessing and selling drugs seem obvious, there is also potential for these hacks to lead to life-threatening changes on medical records (including past surgeries, allergies, and drug interactions) posing a great threat to your medical care in an emergency.
What Can Healthcare Providers Do?
As Scott Rea, DigiCert’s VP of Government and Security, pointed out in his recent article, healthcare companies have sometimes neglected to deploy even the most basic enterprise security measures. Without proper security checkpoints, these companies make themselves more vulnerable to hacks and potentially put their clients’ most important data (social security numbers, medical records, credit card information) at great risk. In order to gain back client trust and to remediate bad security practices, Rea provided two basic security solutions:
1. Two-factor authentication: As Scott Rea put it, “by requiring two-factor authentication for its employees and contractors, Anthem very likely could have prevented this attack.” When any enterprise relies solely on the usernames and passwords of their employees, data is vulnerable. Two-factor authentication, requiring a username/password plus authentication from a trusted device or physical token, significantly decreases the chances of a breach.
2. Data encryption: While the majority of industries have their data encrypted in 2015, the healthcare industry is still inexperienced in this respect. In his article, Rea reports that stolen data from Anthem was not encrypted in the company’s databases. Although encryption may not have saved the Anthem data from being stolen since two-factor authentication was not in use, it would have provided an additional barrier between the hackers and the data.
Calling All Healthcare Organizations
As Avivah Litan, cybersecurity analyst at the research firm Gartner, has estimated, “The healthcare industry is generally about 10 years behind the financial services sector in terms of protecting consumer information.” This severe security lag causes healthcare organizations to lose credibility and client trust—not to mention the immense financial costs of devastating attacks like the Anthem one.
Unfortunately, there is no way to reverse the effects of the Anthem breach. However, in order to avoid these attacks in the future, Anthem and other healthcare organizations must take this opportunity to begin prioritizing better security practices and improve the face of healthcare security from here on out.