BY JAKE GIBSON, Chief Compliance Officer and Chief Security Officer, LightEdge Solutions
The health care industry can be a bed of information for cybercriminals. And it’s because of that wealth of information, which can bring in large amounts of money through the dark web, that health care is routinely one of the top sectors affected by cyberattacks.
According to HIPPA statistics — the organization mandates that health care institutions must report breaches — there were 955 major breaches between 2015 and 2017, resulting in the exposure or theft of more than 135 million health care records. More than 41 percent of the United State population has had its health information exposed.
Just like in other sectors — financial, manufacturing, government and more — health care has seen a steady rise in breaches over the last three years, increasing from 270 major incidents in 2015 to 342 in 2017.
One of the biggest reasons health care is a highly targeted industry is its growing reliance on technology and the internet of things to gather and communicate information.
Another reason is the lack of spending on information technology. Some estimates say the health care industry spends just 1 or 2 percent of its total budget on information security, but that number has been increasing as institutions start to recognize the significance of protection. In a 2017 study, 92 percent of health care respondents planned to “boost resources for technology.” It’s a good start, but there is much to be aware of as these intuitions plan to increase spending.
Throughout the chain
Some of the biggest avenues for attack in the health care industry are in line with overall trends.
Ransomware continues to be a huge problem in every sector, with the number of attacks rising by more than 90 percent in 2017, according to the latest Small Business Snapshot report.
But beyond ransomware, the health care industry has converted many of its devices and systems to more software-enabled technology, which opens more avenues for attack. Data is increasingly gathered and transmitted through the internet of things. Heart rate monitors, scanning machines, digital screens and many more devices have become interconnected. While it has helped medical professionals access quality data, informing better decisions, it has also given attackers more avenues into a system.
It doesn’t help that when it comes to patches or updates, these machines are usually an afterthought. It’s similar to the manufacturing or home consumer industry, where appliances and machines are becoming more automated and interconnected.
Another common problem for health care institutions is outside of their walls: third-party vendors and suppliers. Equipment has to be made somewhere, and supply chains have come under increased scrutiny over the past few years. Health care providers have to be aware of where and how their equipment is created.
This extends to business associates, who are more specifically covered under HIPPA regulations. Business associates are any organizations that help store or transmit data. For example, LightEdge can serve as a business associate because it stores data physically inside its walls or remotely through other services. These associates need to be quality-controlled as well.
It ultimately comes down to third-party risk management. Institutions covered under HIPPA regulations should ensure they have quality control inspections in place throughout their supply chain and business associates.
What’s at stake?
Most health care institutions know what’s at stake when it comes to HIPPA regulations, but consider these statistics from HIPPA. Just as breaches have been steadily increasing in the last three years, so have the financial penalties through settlements and penalties.
Twenty-nine institutions and their business associates have been financially penalized for data breaches caused by HIPPA noncompliance in the last three years. The U.S. Human Health Services Office for Civil Rights, the organization that enforces HIPPA regulations, gathered just more than $49 million in financial penalties. In 2017, the average settlement was $1.94 million.
It’s clear the implications for not following HIPPA regulations are extremely costly. Those under the HIPPA purview should stay on top of all of their information security, from the supply chain all the way to the machines inside their walls.