Cybersecurity threats are on the rise, and healthcare organizations as well as associated vendors are among the most targeted types of databases.
In 2021, Healthcare Info Security noted that a record-breaking 714 major health data breaches took place, which affected data belonging to more than 45.7 million individuals.
In 2022, 64 health data breaches, affecting a total of nearly 3.1 million individuals, have already been reported. Most breaches of such databases are due to IT/hacking incidents, and they affect both HIPAA-covered entities and business associates or vendors. The top five events, per Gov Info Security, include:
- A hacking incident involving data exfiltration, reported by a Florida-based hospital, affecting 1.3 million individuals.
- A ransomware incident, reported by a Michigan vendor that provides business processing services to health plans, affecting more than 521,000 individuals.
- A cyberattack involving the exploitation of a product vulnerability, reported by a Utah vendor that provides clinical reviews and virtual second opinions, affecting nearly 135,000 individuals.
- A hacking incident involving data theft, reported by a Massachusetts medical billing vendor, affecting nearly 134,000 individuals.
- A network hacking incident that appears to involve ransomware, reported by an Illinois community healthcare organization, affecting nearly 116,000 individuals.
Why Are Health Organizations Such a Target?
Data kept by healthcare organizations includes not just healthcare data, but private personal data and payment data. Many of these databases are also very large, which makes health data a very attractive target.
Healthcare organizations are also easy targets because it's not always necessary to target a hospital or insurer database, which may have more funds and resources to devote to cybersecurity.
Instead, a relatively smaller vendor with access to vast amounts of data can be infiltrated and serve as a backdoor into the larger database, bypassing higher levels of security and exposing hundreds of thousands of files.
What Types Of Data Are At Risk?
The types of data hackers seek to access when they hack a healthcare database include:
- Patient Health Data (covered by HIPAA, etc)
- Personally Identifying Information (PII, covered by a variety of laws and regulations nationwide and worldwide)
- Payments and Financial Information (protected by Payment Card Industry Data Security Standard (PCI DSS))
Just one breach can yield a wealth of patient names, personally identifying information such as phone numbers or addresses, and financial information including credit card numbers or bank details. In some cases, information may be sold to identity thieves. In others, the hackers may seek to hold a company ransom with the threat of releasing the data to the public.
Where Is This Kind Of Data Stored?
Data can be stored in various locations depending on the organization or vendor's internal practices concerning data storage and security.
Some organizations still prefer to store their data on-site in their own servers, meaning there needs to be both physical security as well as cybersecurity to prevent a breach. Many organizations still feel that this is the most secure way to store data, since it keeps control securely in the hands of the company.
However, the key isn't the data being stored on-site, but the security in place. Unless a robust physical and cybersecurity plan is created and maintained, data isn't necessarily safer on-site than off-site or "in the cloud."
Off-site data storage is typically done as a backup, providing a separate copy of files that can be used to restore a database and preserve business continuity in the case of a ransomware attack, when the main set of files is locked down and removed from administrator control.
A backup is a must, but the same security applies, and you'll also need to ensure that security is active when files are being updated, so nobody can hop from one set to another along the connection you are using to transmit a clean update.
In the cloud
In the cloud is another type of "off-site" storage, since files stored in the cloud still have a connection to a physical server somewhere in the world – or preferably, multiple redundant servers in case of natural disaster.
Organizations can choose to move all of their data into the cloud, and opt for relying on their vendor to manage security or to use a hybrid combination. You can retain an on-site storage and use the cloud as backup, or use the cloud as your main depository and keep a backup copy of files on-site.
What Cyberattack Methods Are Commonly Used?
There are three main avenues of attack when it comes to cyberthreats against health data:
Phishing (social hacks)
In phishing attacks, a hacker tries to trick someone inside the organization into giving them access, often by sending them an email that leads to a fake reset password link.
Infiltration is usually accomplished by finding a weakness in a security feature or tool and exploiting it to get inside the network to export data.
Finally, third-party vendors can be gateways into healthcare databases if proper security isn't in place between the vendor and the health organization's data.
How Can Your Organization Protect Patient Data?
A good place to start protecting your data is by using a third-party service provider to perform a cybersecurity audit. Based on the results of that audit, you can then formulate a plan to minimize your risks.
Ensure that you always have current data backups in case of a ransomware attack. You'll be able to get back up and running quickly without having to pay hackers for decryption keys.
As phishing scams are a common tactic, you can help prevent phishing cyberattacks by educating your employees to reduce the likelihood of successful social engineering. Annual training and refreshers can help employees remember to check and double-check the veracity of any request to reset a password or share login information. Require strong passwords and data encryption on laptop computers, and make sure employees login from a secure network when working remotely.
Another good method for protecting data is to use two-factor authentication whenever possible. Also, while it can seem like a hassle, forcing password changes on a regular basis is also a good practice to employ, especially if two-factor authentication is not in use.
Though there is no way to prevent 100% of all threats to data, organizational commitment to a robust cybersecurity plan can help lower the chances of a vulnerability exploit. Finally, doing due diligence on partners can help protect your data from infiltration through a third party.