Hacking Now the Main Cause of Healthcare Data Breaches

A new report recently published by IT security firm Redspin shows the main cause of healthcare data breaches in 2015 was hacking.

2015 was not the first year where hacking was the main cause of healthcare data breaches. In 2014, just over half of healthcare data breaches were cause by hackers; however, in 2015 the percentage had risen to 98%.

Main Cause of Healthcare Data Breaches is Now Hacking

Redspin analyzed data breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights for its Breach Report 2015: Protected Health Information (PHI). The report says the healthcare industry has seen exponential growth of hacking in 2015.

A total of 154,368,781 records have been compromised since 2009 when OCR started publishing healthcare data breach reports via its breach reporting portal.

73% of the healthcare records compromised since 2009 – 113,208,516 – occurred as a result of data breaches reported to OCR in 2015, with 98% of those records exposed due to hacking and IT security incidents.  Redspin puts this down to the increased sophistication of hacking tactics, with phishing scams in particular highlighted as one of the main ways that healthcare record heists take place.

Efforts are being made by healthcare organizations to improve security, but they do little to prevent phishing attacks from being successful. If a member of staff can be convinced to open an email attachment and install malware on the network, multi-million-dollar security defenses will be bypassed.

To protected against social engineering attacks, healthcare organizations must conduct regular training and advise employees of the common social engineering tactics used by cybercriminals. Only by improving understanding and awareness of these tactics can healthcare organizations effectively protect against cyberattacks.

With hacking now the main cause of healthcare data breaches, it is essential that healthcare organizations commit more funding to cybersecurity defenses. Many organizations are doing just that and are now making cybersecurity defense a priority.

Why Are Hackers Targeting Healthcare Organizations?

Healthcare data is in big demand. Criminals can use the data to commit identity fraud, Medicare fraud, insurance fraud, and tax fraud. While in years gone by credit card numbers were most commonly sought by criminals, attention has switched to healthcare data because the information stored by health systems and health plans can be used for longer and can net criminals far higher rewards.

Credit card fraud is rapidly identified. In many cases credit card companies identify fraudulent use of credit card numbers within a matter of hours and block accounts. The fraudulent use of Social Security numbers may continue for weeks, months, or years before being detected. During that time criminals can use the data to rack up huge debts in the names of victims. It is unsurprising that criminals have healthcare providers and health insurers firmly in their sights.

To make matters worse, healthcare organizations are typically easier to attack that other industries. The security protections put in place to keep data secure tend to take longer to implement, and the industry has long suffered from under investment in cybersecurity defenses. Many hospitals still use aging or obsolete computer software, full organization-wide risk assessments are not always conducted, and even though the Health Insurance Portability and Accountability Act has introduced security practices that must be followed, not all healthcare organizations are in compliance. A look at the number of data breaches reported via the Office for Civil Rights data breach portal will make that abundantly clear.

Hackers will only stop targeting healthcare organizations when it is no longer profitable to do so. Unless healthcare organizations invest more heavily in improving cybersecurity defenses, large-scale data breaches are likely to continue to occur.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news