The health care industry’s security system is apparently in need of major repair.
Two reports surfaced recently offering evidence of cybersecurity issues in the industry. While one report notes stolen health care information isn’t nearly as valuable on the black market as is financial industry data, thieves can still get key personal information by breaching a health care database.
Perhaps the more alarming of the two reports was issued by SecurityScorecard, a provider of security risk information. The company summarized its findings in its 2016 Healthcare Industry Cybersecurity Report this way: “Security breaches in this industry pose devastating consequences because they can render an entire system or network inoperable, creating a life or death situation that needs immediate attention.”
How bad is the industry’s security network? SecurityScorecard rates its system almost at the bottom of 18 different industry segments for adequacy of social engineering, the barometer for whether a security system has been developed to prevent breaches. Only hacking and malware lead to more breaches than social engineering — and it appears less attention is being paid to social engineering as a cyberthreat.
The report says there has been 22 “major public [data] breaches” in the health care field since August 2015. Not only have these breaches put confidential patient information at risk, but they have resulted in litigation against the breached organizations.
Key findings from the SecurityScoreboard report include:
- More than three-quarters of health care industry providers have been hit with a malware attack in the last year
- Medical treatment centers were a favored target of ransomware, with 96 percent of those organizations reporting a ransomware incident;
- Nine in 10 health care manufacturers reported a malware infection;
- Health care ranked fifth among the industries studied in the number of ransomware incidents;
- Over half of the health care industry got a grade of C or lower on SecurityScorecard’s Network Security ranking.
The second report, by Intel’s McAfee Labs division, attempts to place a value on stolen health care information.
The report says basic individual health data isn’t worth much on the street — anywhere from a fraction of a cent for data byte to a couple bucks and change. But what the thieves are mostly doing is phishing in the health care data base waters for more valuable data, like social security numbers, account numbers and birthdates.
Those are far more valuable, and the hackers simply find health care data bases easier to penetrate than financial institution systems.
Alex Heid, chief research officer for SecurityScorecard, told McClatchyDC that hospitals are especially good targets for data thieves because of their generally poorly constructed systems.
“Hospitals have a lot of data that is similar to the financial sector: Social Security numbers, account numbers and credit card numbers,” Heid says. “People can use compromised health care records for Medicare fraud.”