12/17/2019 Top Cyber Security Risks in Healthcare

TOP CYBER SECURITY RISKS IN

HEALTHCARE

In 2015, the healthcare industry was the most attacked by cyber criminals according to
a Cyber Security Intelligence Index by IBM. The data showed that over 100 million
healthcare records were compromised during that year, from more than 8,000 devices
in more than 100 countries.

This development unmasks a truth that can’t be hidden by the healthcare industry—it
has become a prime target of cyber attacks. The healthcare industry is facing a host of
cyber security issues, which has financial and reputational impact for hospitals and
other healthcare institutions.

IBM’s Cyber Security Intelligence report is just one of a handful of industry findings that
underscore the obvious: data in many healthcare institutions are being compromised
every single day.

The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data released
by the Ponemon Institute reveals more alarming facts and figures about data breaches
in the healthcare industry.

The said study reported that data breaches has cost the healthcare sector $6.2 billion.
The report said that nearly 8 out of 10 healthcare institutions were hit with two or more
data breaches in 2014 and 2015. Moreover, 45 percent of healthcare institutions were
affected with more than five breaches during the said period.

The report surveyed 91 healthcare institutions and 84 healthcare business partner

institutions like pharmaceutical firms, IT and service providers and medical device
makers.

INFOSEC INFOSEC IQ TECHEXAMS

https://resources.infosecinstitute.com/category/healthcare-information-security/healthcare-cyber-threat-landscape/top-cyber-security-risks-in-healt… 2/8
12/17/2019 Top Cyber Security Risks in Healthcare

Consulting firm Accenture believes that data breaches can cost the healthcare industry
more than $300 billion of cumulative lifetime patient revenue over the next five years.

These alarming statistics can be attributed to the following cyber security risks that the
healthcare industry should immediately and adequately address:

Limited spending on cyber security

One of the reasons why the healthcare industry is prone to cyber attacks is the limited
budget allocated by healthcare institutions to cyber security investment.

According to Symantec, a leading enterprise security vendor, healthcare companies are

notorious for their limited investments in cyber security. In a recent report, it cited the
2016 HIMSS Analytics Healthcare IT Security and Risk Management Study which says
that healthcare companies are under spending on cyber security programs.

In comparison, the federal government spends 16 percent of its IT budget on security.

Other industries also spend more for cyber security, such as banking and finance which
allocate 12 to 15 percent of their IT budget on security programs.

Symantec believes that one of the reasons why the healthcare industry is prone to
identity theft is because companies don’t’ spend enough on cybersecurity investments.

ABI Research backs up Symantec’s claims. According to the research organization,

cybersecurity spending in the healthcare sector has been underwhelming. It estimates
that investments in the industry against cyber attacks will only reach $10 billion
worldwide by 2020. The firm says it is under 10 percent of the total spend on critical
infrastructure security.

Auditing giant KPMG, meanwhile, reports that many healthcare companies aren’t
prepared for cyber attacks.

In 2015, the company revealed in a report that 4 out of 5 healthcare executives in the US
admitted that their IT has been compromised by hackers. The report also revealed that
53 percent of surveyed healthcare providers admitted to not being prepared against IT
attacks.

High demand for medical records in the

black market
The high demand for patients’ medical records in the black market is fueling the
numerous cyber attacks that have hurt the reputation and finances of health care
institutions.

INFOSEC INFOSEC IQ TECHEXAMS

https://resources.infosecinstitute.com/category/healthcare-information-security/healthcare-cyber-threat-landscape/top-cyber-security-risks-in-healt… 3/8
12/17/2019 Top Cyber Security Risks in Healthcare

According to the Federal Bureau of Investigation, electronic health records (EHR) are far
more valuable than financial data. EHRs can sell for $50 in the black market, compared
to just $1 for a stolen social security number or credit card number.
Some cyber criminals combine a patient number with a false provider and then file
claims with medical insurers.

EHRs are deemed more valuable because they are more difficult to detect. EHR theft
takes almost twice as long as normal identity theft to be determined. Unlike stolen
credit cards which can be canceled and fraudulent charges which can be disputed,
medical identity theft is more complex and thus difficult to resolve.

This also means cyber criminals have more time to ‘milk’ the information they got from
EHRs.

The high prices that EHRs command in the black market can also be the main reason
why cyber attacks on health care institutions are rising at an alarming rate. Obviously,
hackers can make a lot more money when they target healthcare institutions instead of
banks and other financing firms. In fact, the percentage of healthcare organizations
that have been attacked by cyber criminals rose to 40 percent in 2013 from just 20
percent in 2009. This only shows how much of a prime target hospitals and other
healthcare providers are for cyber criminals.

Ransomware
Cyber criminals don’t even have to steal data from the computers of hospitals to be
able to make a quick buck.

Ransomware is a new data security threat that has targeted and victimized a number
of hospitals in recent years.

It also pertains to a type of malware that cyber criminals infect on a healthcare

organization’s IT system, preventing the company from accessing certain files or sectors.
Usually, the infected components become encrypted and the authorized user is then
unable to access them. The hackers will then deliver a message containing instructions
for sending payment or ransom in exchange for restored access to the affected system.

What makes ransomware even more complex is that cyber criminals demand that
payment be made through bitcoins. Unlike credit cards, bitcoin payments are difficult
to trace which aids hackers in eluding authorities.

Aside from the inadequate cyber security programs of hospitals and health care
institutions, one reason why cyber criminals use ransomware to force these companies
to pay up is due to the nature of healthcare operations. Hospital and healthcare
providers need speedy access to patient data as well as a functional communications
system. Thus these institutions are more likely to pay out instead of letting their

INFOSEC INFOSEC IQ TECHEXAMS

operations be affected by this type of cyber attack.
https://resources.infosecinstitute.com/category/healthcare-information-security/healthcare-cyber-threat-landscape/top-cyber-security-risks-in-healt… 4/8
12/17/2019 Top Cyber Security Risks in Healthcare

Ransomware attacks are on the rise, unfortunately. Symantec reports that for the first
quarter of 2016 alone, there has been an average of more than 4,000 ransomware
attacks per day. This represents a 300 percent increase over the 1,000 attacks-a-day
reported.

Hollywood Presbyterian Medical Center, which paid $17,000 to hackers in February this
year, and MedStar Health based in Columbia, Maryland, which paid $19,000.

According to the Ponemon Institute, unplanned downtime at healthcare organizations

may cost the company around $8,000 a minute per incident. This may explain why
most hospitals would rather pay up than have to deal with major operational losses.

Bring Your Own Device (BYOD) policy

Healthcare companies are encouraging physicians, nurses, and other medical staff to
bring their own devices like tablets, smartphones, and laptops to work. One survey
showed that 81 percent of health care providers are now allowing their doctors and
medical staff members to use their own iPads and other mobile devices at work.

However, 46 percent of those organizations indicated that they are not doing anything
to secure those mobile devices. Moreover, 54 percent of them say they have no
confidence at all that the employee-owned mobile devices used at work are secure at
all.

Many cyber security experts believe that the BYOD policy can put organizations at risk
from cyber attacks.

For one, mobile devices like laptops can be stolen from company offices and expose
data of patients. There have been many instances of unencrypted laptops stolen from
healthcare providers, such as Horizon Healthcare Services based in New Jersey, whose
devices contain huge quantities of personal data including social security numbers.
AMHC Healthcare in LA was also a victim of theft, with two unencrypted laptops
containing data of about 700,000 patients stolen.

Of course, mobile devices can also increase the risks of a healthcare organization to
data breaches. A recent study published in the BMC Medicine revealed that 66 percent
of health apps that send identifying information over the Internet don’t use encryption
while 20 percent don’t have a privacy policy.

As such, healthcare organizations should be stricter when it comes to BYOD policies.

For example, they should bar their employees from sharing personal health information
through file sharing platforms to minimize risks of identity theft. They must also install
third-party solutions on the devices of their employees, and find a way to locate and
wipe the data on the device should the latter be stolen.

Employee negligence
INFOSEC INFOSEC IQ TECHEXAMS

https://resources.infosecinstitute.com/category/healthcare-information-security/healthcare-cyber-threat-landscape/top-cyber-security-risks-in-healt… 5/8
12/17/2019 Top Cyber Security Risks in Healthcare

Although cyber attacks remain the leading cause of data breaches in the health care
industry, there are still many security issues that were caused by negligent employees.
An employee, for example, may open an email attachment that contains malware and

compromise confidential information stored in a computer.

Hospitals and healthcare organizations can minimize the risks of cyber attacks if they
have staff who are very much aware that carelessness can put their companies at the
mercy of cyber criminals.

In a 2015 study by Wombat Security Technologies and the Aberdeen Group, it was
found that employee training on cyber security can reduce the risk of a cyber attack
from 70 to 45 percent.

The study underlines that few companies focus on the greatest evolving security threat
—the end users themselves. It said that while investing on various IT security
technologies can help mitigate risks of data theft, ransomware and other types of cyber
crime, healthcare organizations should also focus on their personnel and make them
more aware of these cyber attacks.

Hospitals, clinics, and other healthcare organizations are thus encouraged to educate
their staff and train them in handling confidential information, particularly patient data.
Employees should also be periodically tested for their level of security knowledge and
trained in handling email safely and undertaking security best practices. Some
healthcare institutions even work with an external security agency to develop the ability
of their personnel to identify phishing emails and other forms of cyber attacks.

These are arguably five of the top cyber security risks facing the healthcare industry
today. Suffice to say, if a hospital, clinic, or healthcare provider is able to deal with these
risks very well, then it can significantly reduce its chances of being hit with a cyber
attack.

BE SAFE

Section Guide
Ryan
Fahey

VIEW MORE ARTICLES FROM RYAN

Infosec IQ awareness and training

empowers your employees with the

INFOSEC INFOSEC IQ TECHEXAMS

knowledge and skills to stay

https://resources.infosecinstitute.com/category/healthcare-information-security/healthcare-cyber-threat-landscape/top-cyber-security-risks-in-healt… 6/8