When it comes to data breach incidents, the global healthcare sector seems to suffer more than most. What is it that makes the industry so susceptible to breaches and is there anything that can be done to prevent the hemorrhaging of sensitive data? What can it do to restore patient trust?
Securing healthcare data and protecting patients’ privacy has proven difficult for many private and public sector organisations. The threat landscape in the health and social services sector is both huge and varied. The very nature of the data being transmitted across healthcare network infrastructure makes it attractive to cyber-criminals.
Patient records, for example, are a rich source of personally identifiable data; much of which could be sensitive in nature. For cyber-criminals, this represents two potential revenue streams. The data can be sold to rogue operators seeking to profit from identify theft or account access but can also be used for blackmail or social engineering.
Just as the sector seeks to increase digitation of patient records for good economic and healthcare objectives, it continues to lose patients’ trust in the sector’s ability to protect their privacy.
There are several industry-wide trends that add to the number of threat vectors. Over the past 5-10 years the healthcare industry has embraced digital transformation; putting sensitive data at greater risk. For example, an increasing amount of data and applications have been moved to the cloud as caregiving becomes decentralised.
At the other end of the spectrum, public health organisations often retain legacy systems beyond their secure life. Connected devices and databases that leverage unsupported versions of software or operating systems no longer received security patches and are an incident waiting to happen. As IoT and other technologies such as AI are increasingly adopted by the sector, the threat vectors will only increase.
Although the industry rarely suffers “mega-breaches” (like the Anthem incident in 2015 that saw 79 million records compromised) the frequency of breach, and the associated costs, seem to be on the rise.
In the US, for example, there were more records breached in the first half of 2019 than in the whole of 2017 and 2018 combined. In Australia, the Office of the Australian Information Commission (OAIC) revealed that the healthcare sector topped the list of notifiable data breaches for the fourth consecutive quarter. In the UK, the WannaCry ransomware attack continues to wreak havoc, 2 years after it first ravaged the NHS, with over 4 million infection attempts in August 2019 alone.
In February 2019, Vardguiden (Sweden’s Healthcare Hotline) confessed to having over 170,000 hours of sensitive telephone conversations stored on an open web server. Later, in June of this year, Quest Diagnostics (a US provider of blood test services) saw almost 12 million patients’ financial and medical data leaked because of a security issue within its supply chain.
In April 2019 insurer Dominion National reported it had evidence of a sustained hack on its servers that had been ongoing for nine years and potentially compromised the records of 2.9 million patients, plus data belonging to related plan producers and healthcare providers.
The Anatomy of a Breach
According to the Thales Data Threat Report (Healthcare Edition) 70% of healthcare organisations have suffered a breach at one time or another. One third have experienced a breach in the past year alone.
One of the major challenges facing the healthcare sector is the diverse range of threats it faces. Whilst malicious or criminal attacks account for around 60% of all breaches, over a third (35%) are still down to human error – most notably using unsecure channels such as fax or email to send sensitive data to the wrong people.
The average cost of a breach of healthcare data far exceeds that of any other market sector. According to IBM’s 2019 Cost of a Data Breach report, the average cost of a data breach has risen to USD 3.92 million. Within the healthcare sector, this figure is USD 6.45 million.
Prevention is Better than Cure
So, what can healthcare organisations do to protect themselves from data breaches? And how should they protect the data itself? The most obvious solution is to ensure all sensitive data is encrypted. Discussing three notable breaches in the healthcare sector earlier this year, April Sather (a fellow at the Cybersecurity Policy and Research Institute at the University of California) had the following advice:
“Whether data is stored in a file system or database, or moving across an online network, the data need to be encrypted”.
Despite a near universal recognition of the advantages of encryption, including its role in bringing down the overall costs of a breach, encryption rates across the industry are lower than expected. In a 2019 Thales poll, just 38% of healthcare organisations were implementing encryption as standard practice.
The other elephant in the room is human error. A third of all breached records are still the result of human error – be it lost devices or misdirected communications. In recent years, the cry to “encrypt everything” has been more frequently heard. However, this doesn’t come close to the number of times people have said “email is not a secure medium for file exchange”.
With so many healthcare professionals on the road to digital transformation, there is a need for the industry to adopt solutions that not only offer productivity or efficiency benefits but are secure by design. Eschewing public cloud services and email in favour of secure file-exchange options will cut down on the number of breach incidents. Moreover, it will provide an additional layer of security against the growing threat of malicious content like malware, ransomware and undisclosed, zero-day attacks.
Senetas Corporation Limited (Senetas) is a global leader in the development of end-to-end encryption technologies. Our solutions protect data in motion for a wide range of commercial, government, industrial and defence applications.
Our CN Series hardware encryptors, CV Series virtual encryptors and SureDrop (our secure file sharing application) all share a common high-performance encryption platform. Thanks to their leading security and performance characteristics, our solutions are used to protect sensitive data and documents in more than 35 countries.