Just a week ago, CareFirst BlueCross BlueShield (CareFirst) reported a data breach that was initially discovered last year. The company assumed they had taken care of the problem when the incident was first noticed – only to learn ten months later, that wasn’t the case.
The healthcare sector has taken center stage in recent months as cyber-criminals shift from retail and finance toward easier targets. There have been more than 1,000 reported HIPAA breaches since the federal notification rules were established six years ago — representing the personal data of some 22.5 million Americans.
The expanding number of touch points for Protected Health Information (PHI) and other sensitive data via electronic medical records make the healthcare industry a vulnerable and attractive target for intrusions. And security experts expect the healthcare industry will continue to be plagued with data breach headlines in 2015. The problem is further compounded by the fact that many doctors’ offices, clinics and hospitals may not have enough internal resources to safeguard their patients’ PHI.
Unfortunately, most healthcare organizations are operating under a number of flawed assumptions concerning security. Premera Blue Cross and Anthem were both targeted by attackers using similar methods and phishing tactics. Both companies activated an incident response and, unlike CareFirst, avoided having tens of millions of medical records exposed. But all of these firms assumed the level of security in place on their networks was sufficient, and all of the intrusions took months to detect. It took CareFirst performing a full security audit in the wake of data breach headlines to notice something was amiss.
“Health care companies have often been more willing to accept those risks because of a mistaken belief that the hackers are after credit card numbers, not electronic health records,” commented John Pescatore, director of emerging trends at SANS Institute, during an interview earlier this month with CSO Online.
This is far from the reality of today’s threat landscape. Healthcare data is extremely valuable and is often resold for use in other criminal activities.
According to the Ponemon Institute, 72 percent of healthcare organizations say they are only somewhat confident (32 percent) or not confident (40 percent) in the security and privacy of patient data.
Healthcare organizations will need to step up their security posture and data breach preparedness or face the potential for damage to their image and reputation, scrutiny from federal regulators, and large monetary ramifications. The potential cost of breaches for the healthcare industry could be as much as $5.6 billion annually according to Ponemon’s Fourth Annual Benchmark Study on Patient Privacy and Data Security.
SLPowers employs a team of full time security analysts, including one with 15 years of direct HIPAA experience. We know what you’re up against. Let’s talk.