Three reasons why healthcare needs to devote more resources to security
Despite the recent rise of data breaches involving ransomware and malware targeting healthcare organizations, the industry is still unprepared to combat these kind of malicious attacks. According to the 2016 HIMSS Cybersecurity Survey, 32 percent of acute and 52 percent of non-acute providers are not encrypting data in transit, and only 61 percent of acute providers and 48 percent of non-acute providers are encrypting data at rest. Results of this survey were released only a few weeks after the latest massive cyberattack on a Phoenix-based health system compromised the records of 3.7 million individuals. In this attack, hackers targeted data from credit cards. The health system confirmed that the attack began on systems that process credit card payments for food and beverage purchases at the health system’s locations.
Leaving payment card data unencrypted exposes it to the threat of malicious cyberattacks. Compared to other industries, unencrypted data is still a big problem in healthcare. According to the California Data Breach Report, more than half of all healthcare breaches last year were a result of a failure to encrypt data. In comparison, only 16 percent of breaches in other industries were a result of failure to encrypt data.
Unencrypted payment data in healthcare is particularly problematic because criminal attacks are increasingly targeting healthcare organizations. According to the Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data from the Ponemon Institute, criminal attacks are the leading cause of a data breach in healthcare for the second year in a row. Ponemon describes criminal attacks, including ransomware and malware, as “the deliberate attempt to gain unauthorized access to sensitive information, usually to a computer system or network, resulting in compromised data.” In 2015, 50 percent of healthcare organizations reported that the nature of their breach was a criminal attack.
2016 HIMSS Cybersecurity Survey, California Data Breach Report, cybersecurity, HIMSS Analytic Healthcare IT Security and Risk Management Study, HIPAA, HITECH, InstaMed, P2PE, point-to-point encryption, Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data