The trend in remote working spurred by the COVID-19 pandemic has demonstrated how much our society relies on technology for occupational interconnectivity and productivity through software like Zoom, online data storage solutions and the use of cloud-based Software as a Service (SaaS) applications. Online technology provides tangible business benefits but raises cybersecurity and data privacy concerns.
One area that IT security experts consider particularly vulnerable is healthcare. Patient data is valuable to cybercriminals who can sell it for significant amounts on the underground market. According to the most recent Annual Report to Congress on Breaches of Unsecured Protected Health Information, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) received 609 notifications of breaches affecting 500 or more individuals, involving a total of approximately 37,182,558 patient records. The OCR also received 63,571 reports of breaches affecting fewer than 500 individuals, with unauthorised access or disclosure reported as the most frequent type of breach reported. These smaller breaches affected a total of 319,215 individuals.
Why do cybercriminals target medical records?
Many healthcare organisations find themselves a target of criminal activity due to weak cybersecurity and data protection posture. Hospitals hold enormous amounts of data, an extensive quantity of which has recently become digitised. Most hospital systems were not designed through a hyper-secure lens and were created to simply store data and make it easy to access for hospital staff. The software that manages this colossal volume of information needs to be more prepared regarding technical security controls. Whether it comes down to human error – such as an individual falling victim to a phishing scam or Trojan horse – or a lapse in the system itself, cybercriminals have great success finding their way to the data.
Healthcare data is particularly precious. Many of these records contain personally identifiable information (PII), which, as the name suggests, is data used to identify someone directly. PII includes information such as social security numbers, passport and driving licence numbers, names, and addresses, all of which can be connected to a broader stream of information to create a profile of an individual. PII is valuable because, unlike credit cards, very little of this data will change or expire as time goes on. Because of this, cybercriminals can use healthcare data to exploit victims more effectively and for extended periods.
Cybercriminals now use PII to commit fraud in a new, fast-growing method involving “synthetic identities”. Hackers create fake profiles by merging valid information stolen from records with falsehoods, thus establishing a quasi-fictitious profile that can commit fraud. When hackers have access to the PII, creating multiple profiles and having them all active simultaneously, even for long periods, without being caught is easy. Synthetic fraud is growing faster than any other financial crime, making hospital records a wealthy target for aspiring cyber criminals.
There has also been a significant increase in the use of ransomware attacks to blackmail victims into paying hefty fees in return for their data. Ransomware typically uses cryptographic algorithms to encrypt data, making it inaccessible to legitimate users. The attacker then demands payment to decrypt the data. There are ways of avoiding paying these fees, but they are often time-consuming and risky. The consequences of not paying could be devastating for hospitals or general practitioners hit with these scams. The severity of potential disruption when targeting healthcare records makes them an incredibly appealing target for cybercriminals, as this maximises their chances of receiving ransom payments. After a March 2022 hack on a Neuchatel medical centre, hackers requested a ransom in exchange for the data. The doctors refused the request on the authorities' advice, resulting in the perpetrators leaking over 40,000 patient records on the darknet.
How important is a secure data protection framework?
The sheer value of the data stored by healthcare organisations is reason enough to justify considerable investment in information security. Whilst banks have taken significant steps to defend against these new forms of identity fraud, healthcare providers find themselves outflanked by an increasingly technologically savvy type of criminal. The additional danger lies in the increasing interconnectivity of the healthcare industry. As such, many organisations continually interact and pass data to and from one another. The number of potential weak spots and targets inherent in the daily operations of healthcare providers means that a risk-based approach to securing sensitive information is imperative.
Healthcare organisations now require a structured framework of policies, procedures, guidelines, resources and associated controls to reduce information risk. Implemented solutions must detect attacks before they have occurred and have backstops in place to respond should a data breach occur to minimise damage.
There must be a holistic approach to implementing information security controls that address physical, organisational, technical and, most importantly, people-related risks. Anyone with access to records can be a potential weak spot for hackers to target, so every staff member must be trained to avoid digital security threats. Many data breaches result from phishing scams, most of which are avoidable by increasing employee awareness through training and simulation exercises.
Today, data has become the most valuable currency on the underground market. The intrinsic nature of patient records makes them a goldmine for cybercriminals looking to take advantage of healthcare organisations with lax cybersecurity postures that represent low-hanging fruit.
As a healthcare provider, your duty is to protect patient data. You must take steps to implement a cohesive and comprehensive security framework without delay to avoid the severe potential consequences of a data breach.
MOD1 Cybersecurity Privacy Risk and Compliance Services
MOD1 offers cybersecurity, privacy, risk and compliance consulting solutions to digital life sciences organisations and healthcare providers. We design our bespoke services to safeguard against data breaches, loss of revenue, damaged reputation, operational downtime and legal liability. We professionally tailor our offerings to match each client’s budget, complexity, and size so we can best meet their needs.
We founded our success on ethics, agility, credibility and execution excellence – these guiding principles ensure we deliver consistent value to our clients. Our accredited subject matter experts are accustomed to working in highly regulated business sectors, where protecting critical information assets is vital to achieving organisational objectives.
If you are ready to give your sensitive personal data the protection it requires, then book your free consultation with a MOD1 expert today!
Identify the risks in your Information Security Management System with our free ISO 27001 Gap Analysis Checklist.
As CEO and founder of MOD1 AG, Dylan Johnston dedicates his energy to helping organisations break down barriers to digital transformation through the adoption of a risk-based approach to securing sensitive personal data and critical business information assets. Dylan’s work for AT&T, Swisscom, United Nations, Bank for International Settlements, and Hoffmann-La Roche has equipped him with unique insight on how to inject cybersecurity and data privacy practices into organisational culture. Connect with Dylan on LinkedIn, subscribe to the MOD1 Insights Blog, or comment below to join the conversation.