Healthcare Organizations a Soft Target for Cybercriminals

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 at a time when the internet was still in its infancy. Over the following 18 years the volume of information stored in an electronic format has grown at an extraordinary pace, and with it, so has the threat of theft. Today, ePHI is stored on servers, in the cloud and on mobiles and laptops and according to a recent report by IDC Health Insights, the healthcare industry is seen as a soft target by cybercriminals.

The report; titled “Business Strategy: Thwarting Cyber Threats and Attacks against Healthcare Organizations,” suggests that the security issues faced by the healthcare industry are a result of poor investment in IT security infrastructure over the preceeding 18 years.

The financial industry is a prime target for cybercriminals, but organizations have invested heavily in security systems to protect the financial details of clients. While no organization is impregnable to attack, they are viewed by criminals as hard targets. Hospitals and healthcare clinics on the other hand are relatively easy to infiltrate as many do not have robust security systems.

Furthermore, the rewards for obtaining access to ePHI are considerable. Personal health information, in particular Social Security numbers, are highly prized by thieves. Credit card numbers may previously have been the most valuable data to steal; however credit card theft is identified quickly and cards and accounts are blocked, limiting the goods and services which can be obtained.
Social Security numbers can be used to commit medical fraud, such as obtaining prescription medications which can be sold on the black market, and increasingly, ePHI is being used to make fraudulent insurance claims. According to the report, the value of social security numbers far surpasses that of credit card numbers because the financial rewards are much higher, theft also takes longer to be identified and thieves can run up debts of tens of thousands of dollars before the victims becomes aware of the fraud.

Included in the report are some findings from the 2014 IDC Insights Cross Industry Cyber Threat Survey, which asked questions about cybersecurity issues across the retail, financial and healthcare industries. The survey was conducted to determine how the current elevated threat of online attacks is being dealt with and what impact that the attacks are having when thieves successful gain access to protected information.

Alarmingly, all respondents in the survey reported that at least one cyber attack had been attempted during the previous 12 months and over a quarter (27.1%) of the respondents reported that those attacks had been successful. Additionally, almost 4 out of 10 (39.4%) respondents claimed to have been attacked more than 10 times over the curse of the year.

Lynne Dunbrack, vice president of IDC Health Insights, believes that it is no longer a case of whether an attack will take place, but when it will happen. Cybercriminals will attempt to gain access to ePHI at some point, so it is therefore imperative that healthcare organizations have the security systems in place to protect patient ePHI and that they should be taking proactive steps to predict attacks rather than simply having a reactive security strategy in place.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.