The healthcare industry has been particularly vulnerable to cybersecurity risks. The biggest data breaches in 2018 involved email, phishing attacks, and the misconfiguration of databases. One attack even lasted longer than a year.
With so much patient data in the healthcare system, it’s becoming increasingly important to improve data security. There are a variety of ways healthcare professionals can better protect data. They need to begin by looking closely at what isn’t working. Additionally, they must conduct thorough analyses and respond and adapt to what they reveal.
In this article, we’re going to highlight some of the biggest data breaches in the healthcare sector in 2018. We are also going to discuss the consequences of these healthcare data breaches, and highlight how to stop them.
Data Breaches Common in Healthcare
In 2019, the healthcare sector can expect to see more of the same problems. After all, hackers are becoming more sophisticated. Ransomware occurrences are on the rise. Inside errors remain one of the biggest dangers. Phishing attacks are targeted toward employees responsible for those errors. A big part of the problem is that the industry is struggling with limited resources and staffing issues, and according to Health IT Security, this will ensure that attacks continue through 2019 — and possibly quite longer.
Let’s take a look at the five largest breaches in healthcare over the course of 2018 and the number of people each breach affected. This should provide an idea of what a huge problem this has become. It’s an issue that affects many Americans, as most of us have sensitive data in their systems.
5. LifeBridge Health: 500,000 Patients
LifeBridge Health was the victim of a serious malware attack. During this attack, hackers gained access in September of 2016, though the healthcare company didn’t discover this breach until March of 2018.
During that year and a half, hackers had access to numerous patient details, including demographic information, insurance data, and medical histories. Some patients even lost their social security data.
4. Health Management Concepts: 502,416 Members
HMC was the victim of a ransomware attack that somehow mysteriously turned into a data breach involving information for half a million of their members.
HMC paid the ransom to have the files released, but in doing so accidentally sent the then-decrypted files back to the hackers. Included in the information that hackers had access to were social security numbers, names of members, and other sensitive data. Officials never said how or why it had happened.
3. CNO Financial Group: 566,217 Customers
Bankers Life, CNO’s largest unit, notified customers of a breach on August 7, 2018. By then the breach had been going on for months. In total, it lasted from May 30 to September 13. Hackers were able to gain access to the credentials of several employees, which gave them access to company websites and the data of several hundred thousand policyholders.
Information in this breach included names, dates of birth, insurance information, and the last four digits of social security numbers. For many customers lost social security numbers, as well as credit and debit card information, and a host of medical history files.
2. UnityPoint Health: 1.4 Million Patients
UnityPoint suffered two phishing attacks in 2018, the first of which involved gaining access to a staff email account which compromised 16,000 patient records. The second would prove much more destructive.
Hackers sent out phishing emails to employees that looked similar to an email from company executives. One employee fell prey to their emails, which led to hackers gaining access to the data of nearly one and a half million patients. Perhaps most egregious was that the attack occurred in March and April, but patients weren’t notified until July.
1. AccuDoc Solutions: 2.65 Million Atrium Health Patients
The largest data breach of 2018 in the healthcare industry was actually due to a billing vendor hack. AccuDoc prepares bills for patients and operates the billing system for Atrium Health.
The breach lasted exactly one week, from September 22 to September 29. The investigation showed that hackers could view the data but not extract it. AccuDoc notified Atrium Health of the breach on October 1.
The largest breaches of last year happened in a variety of ways ― from malware and ransomware attacks to phishing emails sent to employees and a vendor breach. This is a big part of the problem. Unfortunately, attacks can happen in so many ways, and all it takes is one weak link in the chain.
Ways Professionals Are Enhancing Security
According to Taylor Armerding in a story published in Forbes, connected medical devices are the most vulnerable part of the cybersecurity puzzle in the healthcare industry. Changes are coming, says Armerding, but they won’t happen quickly.
An FDA announcement in June of 2018 introduced the adoption of UL 2900-2-1, a new standard that is designed to improve software security in new devices. The expected impact, according to Armerding, is substantial.
The problem is that people did not design current medical devices to be used with internet connections. Hackers know this and target these devices. Security experts also know this and have been warning the industry for years.
A June 2017 report from a congressional task force ― “Report on Improving Cybersecurity in the Healthcare Industry” ― mentions that healthcare cybersecurity, in particular, “is in critical condition.”
Hackers gaining access to medical devices isn’t just about data breaches. Hackers can also compromise patients’ health and even their lives. Some of these devices are implants, which makes them even more problematic.
During a Las Vegas convention, Black Hat, two cybersecurity experts ― Billy Rios and Jonathan Butts ― led a session titled “Exploiting Implanted Medical Devices,” in which they demonstrated how these devices, including pacemakers, were vulnerable and easy to exploit remotely.
The new UL standard that the FDA is adopting for medical devices will likely fix many of these issues. However, Armerding warns that it doesn’t mean they’ll suddenly be bulletproof.
Prevention Is Key
Preventing cybersecurity breaches in the healthcare industry will be an ongoing effort for the foreseeable future. However, in an industry where only 40 percent of organizations are concerned and 53 percent have people in place to thwart these attacks, it may be an uphill battle.
There are some steps, according to Norwich University, that healthcare organizations can take to better protect themselves.
- Regular assessments of all IT systems, including policies, threats, risks, and vulnerabilities
- Better staffing ― hiring IT professionals with the proper credentials and training
- Better training for all employees, including making certain they understand all rules and regulations.
- Encrypt all patient data, especially data that’s accessed through servers, computers, and medical devices
- Limit access to data only to employees who need it to do their jobs
- Hold all business associates accountable, including third-party vendors
- Development of better processes for identifying and reporting breaches
While data breaches have been significant in the healthcare industry, it appears that changes are coming where they’re needed most: advancements in medical devices. However, the bigger problem seems to be prioritization and the recognition that a problem even exists, as those percentages above indicate.
Understanding the need to be concerned and hiring professionals that can help limit the risks associated with cybersecurity breaches has to become the main priority for companies in this industry. The current situation isn’t just creating massive problems for those who have had information stolen in the past, but for all of us when it comes to restoring trust in the entire healthcare system moving forward.