Is Healthcare Data Secure?

Traditionally, the healthcare industry has been the slowest field to adopt new technologies. This is generally due to the fears surrounding security and privacy of patient data. Healthcare companies preferably keep data locked up with a secure firewall or even on premise. The intangible cloud appears to be a risky place to store critical information.

healthcare data security

In recent times, healthcare organizations are experiencing on average double the amount of attacks compared to other organizations. Data breaches are consistently rising in costs year after year. A study calculated that the average cost of a data breach was a little under $4 million. This cost umbrellas the loss of customers from the reputation damage, affected data, fines, costs of forensics and communication, and long term damages.

A startling 90% of healthcare institutions have suffered from a data breach within the last 3 years. Of those affected, 50% of them have had at least five breaches in the same time frame. When referring to breaches, it is not necessarily hacking or anything malicious. It could simply be a doctor faxing a document to the wrong office, a patient sending data from their doctor to a third party, or a doctor not appropriately disposing of records when their patient leaves the system.

Distributed Denial-of-Service (DDoS) are becoming more and more popular. These attacks have taken place in the last few years, crippling some institutions. Each attack resulted in costs of $2 million. Every 40 seconds a healthcare organization is faced with a ransomware attack and one in 6 establishments are affected. As the number of attacks are increasing, it would be assumed that the amount of protection would also be rising. Oppositely, however, healthcare organizations’ budgets for cybersecurity dropped to about 3% of the total budget. This is not saying that healthcare organizations are spending less overall; total spending is actually increasing over the years. The amount spent on cybersecurity is constant while there is an  increase of overall spending, so in proportion, there is less money being spent on security.

Share this Image On Your Site

Why is Healthcare a Target?

Healthcare data is rich. Rich in the sense that the data contains multiple aspects of an individual and this can be achieved by the breach of just one system. An email account, for example, has some personal identifying information and a bank account has a little more information. To access that user data, it requires two separate breaches for each account. All user information is wrapped up in a neat bow in healthcare records. In the hacker’s point of view, the cost-benefit analysis of where to spend hacking money and time shows that targeting healthcare organizations would be the most effective objective. Data held within healthcare enterprises is generally less protected and more useful than hacking into, say, and email account. Another reason healthcare data is a prime target is due to the fact that the data is stored in a legacy system. Knowing that cybersecurity budgets are decreasing and the systems are older, healthcare data is extremely vulnerable. Furthermore, concerning hackers, there are those in a specific category that solely hack for fun to cause the most damage and wreak the most havoc. When a healthcare organization is taken down by an attack, the downtime impacts patient safety. Those hackers that get pleasure out of taking down these organizations are choosing healthcare because it can induce a lot of damage.

How the Cloud is Helping?

HIPAA is a U.S. regulation put in place for the protection of sensitive healthcare data. As HIPAA is a slightly older law, it was not created for the cloud environment; though it has been amended various times for more advanced technical trends. Within HIPAA there is a Business Associate Agreement (BAA) that formalizes the relationship and states that both parties agree that the data HIPAA is protecting is exchanged in the contract. It defines security requirements and the transferral protection of the healthcare data. Google Cloud is an example of a platform used by organizations and is one of the few that offers an extensive, enterprise grade BAA. Some cloud platforms believe healthcare security is not optional and so the protections in the BAA are defaulted with no additional costs with protection around breach notifications and encryption.

With the cloud, the traditional security method of having a hard perimeter of firewalls is a thing of the past. The cloud offers various types of protection and security that are relevant to different attacks at different levels. The cloud jumpstarts action to prevent, plan for and deal with disasters. Although healthcare organizations are targeted amongst hackers, they are remaining diligent in their efforts to keep their patients’ data secure.