With rising cybersecurity breaches in healthcare, patient data security — including protected health information (PHI) and payment card information (PCI) — is more critical than ever. In fact, breaches resulting in the loss of confidential patient information are the top security concern among healthcare IT pros, according to an Armis survey.
In this article — part of our Internet of Medical Things (IoMT) series — we look at the upsurge of healthcare data breaches and share practical steps to protect records.
Healthcare cybersecurity breaches are on the rise
The number of incidents involving healthcare data has been increasing in the United States over the last few years. In 2021, over 45 million healthcare records were exposed or stolen, up from 34 million in 2020. The peak, however, was in 2015, due to a massive breach involving health plans (graph below).
Source: HIPAA Journal
Increased Concerns Over Data Security in Healthcare
A data breach can have a direct impact on quality care. If a hospital loses patient records, its staff members won’t have the information needed to administer proper treatment.
Hospitals might have to halt operations, including admissions and surgeries, which also has a negative financial impact. And there are increased financial losses when it comes to healthcare ransomware attacks — the theme of Chapter 4 of this IoMT series.
A data breach can have legal consequences, too. Hospitals have to comply with the Health Insurance Portability and Accountability Act (1996), which sets requirements to secure PHI.
In case of a breach, HIPAA-covered entities must notify affected individuals, authorities, and, in certain circumstances, even issue a press release. Per the HITECH Act, the Department of Health and Human Services posts a list of breaches of unsecured PHI affecting 500 or more individuals.
The Record-high Price Tag of Healthcare Data Security Breaches
Non-compliance can be costly. Anthem, for example, paid $16 million to settle the case of its 78.8 million record data breach. It was the largest-ever financial settlement for a HIPAA compliance violation.
Healthcare delivery organizations (HDOs) are a top target of cybercrime because they possess valuable data: personal, financial (for example, payment methods), and medical information of patients as well as intellectual property. Selling all this data on the dark web can be lucrative to criminals. No wonder financial gains are the motivation behind 95% of healthcare breaches, per the Verizon 2022 report.
Another concern is the cost of healthcare fraud. This crime happens when patients or medical providers deceive the healthcare system to receive benefits or payments. That’s the case when individuals use someone else’s health insurance or make claims for medical services that were not rendered.
How Data Breaches in Healthcare Happen
We have divided the top causes of healthcare data breaches into three categories:
Data about the largest healthcare breaches of 2021 shows that 73.9% were hacking or other IT incidents. Lack of effective patch management and use of legacy protocols contribute to those attacks.
- Legacy technology with vulnerabilities. While computers and other IT devices are typically replaced every 3-4 years, hospital equipment (e.g. MRIs and CT scans) has a longer lifecycle, extending to 10-20 years. Legacy technology with unencrypted protocols increases the risk of breaches, as many of the devices can no longer be updated.
- Unmanaged devices with no built-in security. More than 60% of connected medical devices are unmanageable and, for this reason, cannot accommodate traditional security agents or be easily patched. With the increased use of operational technology (OT), Internet of Things (IoT), and IoMT in healthcare, the number of vulnerabilities also escalates.
- Ineffective patch management. Even when a patch is available, response efforts might be lagging. In fact, 53% of the respondents of The State of Vulnerability Response in Healthcare reported breaches caused by vulnerabilities for which patches were available but not applied.
For an in-depth overview of the challenges of healthcare device security, read Chapter 2.
2. Human Errors
A foundational component of any cybersecurity initiative is to raise awareness among your team. After all, the human element accounts for 82% of breaches, according to the Verizon report. Typical examples include:
- Using a weak password. In 2022, compromised or stolen credentials were the most common initial attack vector, contributing to one out of five breaches, per the IBM data breach report.
- Falling victim to a phishing attack. Social engineering is a tactic to manipulate users to provide information or perform actions that put security at risk, such as clicking on malicious links. To give an idea, Microsoft reports blocking 710 million phishing emails per week.
Making an honest mistake. Let’s say a lab employee submits the wrong lab results or loses a form with patient medical data. Whether an honest mistake or simply negligence, these actions play a significant role in security incidents. As the Verizon study indicates, employees “are more than 2.5 times more likely to make an error than to maliciously misuse their access.”
3. Third Parties
Healthcare organizations contract with a large number of third parties for services and products, which increase their risk exposure to cyberattacks. Storing PHI on cloud-based systems or renting medical equipment are typical examples.
A Ponemon Research Report points out that only one-third of critical and high-risk third parties are assessed annually. Effective risk assessment is crucial to mitigating threats. Hospitals need to understand how many PHI records are accessed, transmitted, or stored by third parties, but they often lack this level of visibility.
Concerned with patient privacy? Watch our webinar to learn how to identify risks and align threat models to better secure patient data.
How to Solve Big Data Security and Privacy Issues in Healthcare
Hospitals seeking to strengthen their resilience and prevent cybersecurity breaches in healthcare should start by establishing a comprehensive risk management program.
A 10-step roadmap for improved data security in healthcare should include:
- Employee awareness. Educate your team on cybersecurity best practices, including the use of strong passwords and multifactor authentication.
- Network segmentation. Segment your network to prevent attackers from moving laterally into your environment after an initial breach.
- Principles of least privilege. Restrict users’ access to only the resources they need to perform their jobs.
- Zero trust strategy. Continuously verify users and devices before granting access to network resources.
- Third-party risk assessment. Leverage automation to assess risks associated with vendors and limit exposure to breaches.
- Asset inventory and visibility. Have a comprehensive inventory of all devices and systems in your healthcare environment.
- Continuous monitoring. Passively monitor your hospital network in real-time to detect new threats.
- Patch management. Ensure that your devices and systems are patched to minimize risks associated with hacking exploits.
- Risk prioritization. Take a risk-based approach to vulnerability management and prioritize incident response based on risks to patient care.
- Data breach response plan. Develop a strategy outlining the steps and procedures your organization would follow in case of a breach.
Protecting Patient Information and Healthcare Devices with Armis
Healthcare asset inventory alone is insufficient to ensure patient information security. Hospitals also need complete visibility into the behavior of every type of device — IT, OT, IoT, and IoMT.
Your team needs to see everything a device is doing in your network or air space, so you can detect abnormal behavior and understand where medical data is heading. Let’s say a CT scanner is sending unencrypted PHI traffic to an unsanctioned IP. This activity poses security risks, but with this type of insight, your security team can take preventive measures to prevent a breach.
With Armis, you can do an entire query in your environment and see what traffic is related to unencrypted PHI. And then you can get forensic-level visibility by device type.
You can identify how many of those devices are laptops, x-ray machines, or MRIs. This level of detail enables you to understand the risks with a greater impact on patient care. Armis even lets you automate alerts and prioritize remediation based on clinical risks.
Take the next step toward improved patient data security in healthcare. Book a custom demo to see how Armis can help.
Frequently Asked Questions
How Does Armis Help Protect Patient Data?
Armis helps healthcare organizations to take steps to mitigate cyberattacks and protect patient data by identifying all devices in their environment — IT, OT, IoT, and IoMT.
The Armis platform passively monitors device behavior in real time to detect suspicious activity. Our solution takes a risk-based approach to vulnerability management, enabling security teams to automate and prioritize remediation based on the impact on patient care.
What type of healthcare organizations use the Armis platform for cybersecurity and asset management?
Leading healthcare delivery organizations (HDOs) such as the Mater Hospital in Dublin and the Burke Rehabilitation Hospital in New York use the Armis platform for cybersecurity and asset management. Armis provides hospitals and clinics with complete asset inventory, cyber risk assessment, device utilization insights, and other use cases.
Read our healthcare case studies to learn more.
What is PHI?
Protected health information (PHI) is the information on the medical record of an individual. PHI is protected under a federal law named the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
What are the 18 HIPAA Identifiers?
The 18 HIPAA identifiers refer to the Department of Health and Human Services’ list of identifiers of an individual.
These identifiers are names, geographic identification, dates, phone and fax numbers, social security numbers, email addresses, medical record numbers, health plan beneficiary numbers, account numbers, certificate and license numbers, vehicle identifiers, device identifiers or serial numbers, URLs, IP addresses, biometric elements, full-face photos and other identifying numbers, characteristics or codes.
Read all IoMT Playbook Chapters:
- Chapter 1 – How to innovate in healthcare with IoMT devices without exposing the expanding cyber attack surface
- Chapter 2 – The Hurdles of Internet of Medical Things Security
- Chapter 3 – A history of medical device hacking
- Chapter 4 – How to mitigate ransomware in healthcare
- Chapter 5 – How to minimize the clinical risks of unsecured healthcare devices
- Chapter 6 – How to improve patient data security 👈 you are here
- Chapter 7 – Why healthcare IT security can’t protect against IoMT vulnerabilities
- Chapter 8 – How to spot the top indicators of compromise in healthcare
- Chapter 9 – The fundamentals of medical device cybersecurity
- Chapter 10: Which role can you play in strengthening cybersecurity in healthcare moving forward?