According to a survey released Aug. 28, more than 81 percent of healthcare providers and payers (insurance companies) acknowledged that their organization has be cyber attacked during the last two years. The 2015 KPMG Healthcare Cybersecurity Survey further went on to indicate that only half of the 233 chief information, technology, security and chief compliance officers felt they were adequately prepared to prevent attacks by malware, bots or other hacking efforts.
The number of attacks is increasing against the healthcare industry with about 25 percent seeing attacks several times a week. The type of information collected and stored both health providers and insurance companies are considered “rich” to thieves. Jay Foley of ID Theft Info Source explained. “Health plans, doctors, hospitals and other providers collect your name, address, Social Security number, health insurance number, birth date, emergency contact info and more. That is all that is needed to steal your identity. Your information can be used to get credit, medical care, a driver’s license, a car, house and even a job. It can be sold between thieves, on the black market, or used by forgers to create counterfeit documents to sell to people who need a new identity. That is why it is considered “rich” information.
“Because health providers and payers are using more electronic technology systems to communicate to each other, it opens a door to cyber hacking, Foley continued. “Almost everyone’s information, including those who had died or were recently born, is in one or more health care databases. Because of the large amount of people employed by the health care industry, insiders are also a threat. The healthcare industry has to take more care in protecting its infrastructure and what is called electronic personal/protected health information (ePHI).”
The report backed Foley’s concern. It concluded that the healthcare industry is behind other industries and too-frequently uses “outdated clinical technology, insecure network-enabled medical devices, and (has) an overall lack of information security management processes.” Also concerning is the fact that 16 percent said they could not detect in “real-time” any compromise to their systems.”
Disturbing to privacy experts is the fact that the KPMG survey revealed that the top motivating factors to protect information focused around regulatory enforcement, litigation, financial and reputational loss rather than the impact to the individuals affected. The report explained, “Payers tend to be larger, publicly traded organizations that operate in multiple jurisdictions. Their main concerns are a financial loss that could affect shareholders or a reputational impact that could dampen growth plans.”
As seen by the recent breaches at Anthem, OPM and the IRS there is a concern that these multiple databases could be used to compile profiles which increases national security threats. Since hackers will always find flaws to exploit, the changing cyber threat nature requires implementing a completely new approach, based on: “Incorporation of cyber security in the technology and network architecture upfront, via strategic design. Since many organizations achieved their interconnectivity by evolution, resulting in inadequate controls, what is in many cases required today is a redesign and development of a security implementation plan. Investment in security needs to become part of a cohesive, coordinated digital strategy.”
“The vulnerability of patient data at the nation’s health plans and approximately 5,000 hospitals is on the rise and health care executives are struggling to safeguard patient records,” said Michael Ebert, leader in KPMG’s Healthcare & Life Sciences Cyber Practice. “Patient records are far more valuable than credit card information for people who plan to commit fraud, since the personal information cannot be easily changed. A key goal for execs is to advance their institutions’ protection to create hurdles for hackers.”