With rising cybersecurity breaches in healthcare, patient data security — including protected health information (PHI) and payment card information (PCI) — is more critical than ever. In fact, breaches resulting in the loss of confidential patient information are the top security concern among healthcare IT pros, according to an Armis survey.
In this article — part of our Internet of Medical Things (IoMT) series — we look at the upsurge of healthcare data breaches and share practical steps to protect patient records.
The number of incidents involving healthcare data has been increasing in the United States over the last few years. In 2021, over 45 million healthcare records were exposed or stolen, up from 34 million in 2020. The peak, however, was in 2015, due to a massive breach involving health plans (graph below).
Source: HIPAA Journal
A data breach can have a direct impact on quality care. If a hospital loses patient records, its staff members won’t have the information needed to administer proper treatment.
Hospitals might have to halt operations, including admissions and surgeries, which also has a negative financial impact. And there are increased financial losses when it comes to healthcare ransomware attacks — the theme of Chapter 4 of this IoMT series.
A data breach can have legal consequences, too. Hospitals have to comply with the Health Insurance Portability and Accountability Act (1996), which sets requirements to secure PHI.
In case of a breach, HIPAA-covered entities must notify affected individuals, authorities, and, in certain circumstances, even issue a press release. Per the HITECH Act, the Department of Health and Human Services posts a list of breaches of unsecured PHI affecting 500 or more individuals.
Non-compliance can be costly. Anthem, for example, paid $16 million to settle the case of its 78.8 million record data breach. It was the largest-ever financial settlement for a HIPAA compliance violation.
The healthcare industry has had the highest average data breach costs for 12 consecutive years, reaching $10.1 million on average, according to IBM Security’s Cost of a Data Breach 2022 Report.
Healthcare delivery organizations (HDOs) are a top target of cybercrime because they possess valuable data: personal, financial (for example, payment methods), and medical information of patients as well as intellectual property. Selling all this data on the dark web can be lucrative to criminals. No wonder financial gains are the motivation behind 95% of healthcare breaches, per the Verizon 2022 report.
Another concern is the cost of healthcare fraud. This crime happens when patients or medical providers deceive the healthcare system to receive benefits or payments. That’s the case when individuals use someone else’s health insurance or make claims for medical services that were not rendered.
We have divided the top causes of healthcare data breaches into three categories:
Data about the largest healthcare breaches of 2021 shows that 73.9% were hacking or other IT incidents. Lack of effective patch management and use of legacy protocols contribute to those attacks.
For an in-depth overview of the challenges of healthcare device security, read Chapter 2.
A foundational component of any cybersecurity initiative is to raise awareness among your team. After all, the human element accounts for 82% of breaches, according to the Verizon report. Typical examples include:
Making an honest mistake. Let’s say a lab employee submits the wrong lab results or loses a form with patient medical data. Whether an honest mistake or simply negligence, these actions play a significant role in security incidents. As the Verizon study indicates, employees “are more than 2.5 times more likely to make an error than to maliciously misuse their access.”
Healthcare organizations contract with a large number of third parties for services and products, which increase their risk exposure to cyberattacks. Storing PHI on cloud-based systems or renting medical equipment are typical examples.
A Ponemon Research Report points out that only one-third of critical and high-risk third parties are assessed annually. Effective risk assessment is crucial to mitigating threats. Hospitals need to understand how many PHI records are accessed, transmitted, or stored by third parties, but they often lack this level of visibility.
Concerned with patient privacy? Watch our webinar to learn how to identify risks and align threat models to better secure patient data.
Hospitals seeking to strengthen their resilience and prevent cybersecurity breaches in healthcare should start by establishing a comprehensive risk management program.
A 10-step roadmap for improved data security in healthcare should include:
Healthcare asset inventory alone is insufficient to ensure patient information security. Hospitals also need complete visibility into the behavior of every type of device — IT, OT, IoT, and IoMT.
Your team needs to see everything a device is doing in your network or air space, so you can detect abnormal behavior and understand where medical data is heading. Let’s say a CT scanner is sending unencrypted PHI traffic to an unsanctioned IP. This activity poses security risks, but with this type of insight, your security team can take preventive measures to prevent a breach.
With Armis, you can do an entire query in your environment and see what traffic is related to unencrypted PHI. And then you can get forensic-level visibility by device type.
You can identify how many of those devices are laptops, x-ray machines, or MRIs. This level of detail enables you to understand the risks with a greater impact on patient care. Armis even lets you automate alerts and prioritize remediation based on clinical risks.
Take the next step toward improved patient data security in healthcare. Book a custom demo to see how Armis can help.
Armis helps healthcare organizations to take steps to mitigate cyberattacks and protect patient data by identifying all devices in their environment — IT, OT, IoT, and IoMT.
The Armis platform passively monitors device behavior in real time to detect suspicious activity. Our solution takes a risk-based approach to vulnerability management, enabling security teams to automate and prioritize remediation based on the impact on patient care.
Leading healthcare delivery organizations (HDOs) such as the Mater Hospital in Dublin and the Burke Rehabilitation Hospital in New York use the Armis platform for cybersecurity and asset management. Armis provides hospitals and clinics with complete asset inventory, cyber risk assessment, device utilization insights, and other use cases.
Read our healthcare case studies to learn more.
Protected health information (PHI) is the information on the medical record of an individual. PHI is protected under a federal law named the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The 18 HIPAA identifiers refer to the Department of Health and Human Services’ list of identifiers of an individual.
These identifiers are names, geographic identification, dates, phone and fax numbers, social security numbers, email addresses, medical record numbers, health plan beneficiary numbers, account numbers, certificate and license numbers, vehicle identifiers, device identifiers or serial numbers, URLs, IP addresses, biometric elements, full-face photos and other identifying numbers, characteristics or codes.
Read all IoMT Playbook Chapters:
Sign up to receive the latest news