In 2015, a Chinese-based Hacker was responsible for the largest healthcare data breach. The files of more than 78 million patients were compromised, leading to a $115 million class-action lawsuit. Ultimately, the insurance company Anthem reached a $39.5 million settlement with State Attorneys. According to Becker’s Hospital review, data breaches in healthcare cost more than $5 billion a year.
Personal Healthcare data included in medical records are a valuable asset for hackers. In 2020, 642 healthcare data breaches of more than 500 records occurred. Nearly 80% of them targeting healthcare providers. Personal Health Information (PHI) can sell up to 10 times more than credit card numbers on the dark web. The intrinsic value of health records explains why healthcare organizations saw a dramatic increase in the number of breaches in 2020.
This article will analyze why healthcare cyberattacks are the new eldorado for hackers and what can be done to improve patient data security in our digital healthcare world.
Why is information security so important in healthcare?
Most societies put a lot of value on privacy, and patient information is on the top of the list when it comes to intimate details. More than twenty years ago, Forrester Research surveyed how Americans perceived the privacy and safety of their medical records. 2 out of 3 had significant concerns about the safety of their personal health records.
The Health Insurance Portability and Accountability Act (HIPAA) was implemented to provide a framework for how the healthcare sector had to handle the information. The main issue is that most of us are unfamiliar with the rights associated with it.
The healthcare industry is especially susceptible to breaches. The information handled is highly confidential and goes beyond patient records, and also includes financial data. Patients need to share highly private information to be treated efficiently, especially for psychiatric or substance abuse disorders.
Without full trust in how the data are secured in health systems, the risk is that information will not be fully disclosed to the doctor and, in return, could potentially impair the treatment.
How vulnerable are hospitals to cybersecurity attacks?
In 2025, experts estimate that Hospitals will create 463 exabytes of data each day. For memory, an exabyte is equivalent to one quintillion bytes or 1 million terabytes. That is a lot of data…and a lot of potential threats. When the amount of data doubles every two years, healthcare is by far the fastest biggest sector, with a compound annual growth rate (CAGR) estimated to 36 percent through 2025.
The Wall Street Journal recently analyzed the hospitals’ points of vulnerability that could potentially impair patient safety and lead to ransomware attacks. These include:
- Networks,
- Internet of Things,
- Personal devices,
- Data Storage,
- Record disposal,
- Remote work.
Criminals will generally either sell the financial personal information on the dark web or lead to ransom wares. In 2021, the credit card details of an account with a purchasing balance of up to $5,000 are usually sold for $240. Healthcare data are very attractive for cybercriminals that will often extort patients by threatening them to release confidential information.
The consequences of cyber attacks also recently lead to the death of a patient in Dusseldorf, Germany. Following a cyberattack, the IT system of one of the major hospitals was disrupted. A patient in need of urgent admission was unnecessarily transferred to another hospital. The attacker took advantage of a weakness in an add-on of widely used commercial software.
With so much value associated, hospitals are a gold mine for hackers. Keeping patient data safe should be the number one priority for hospitals and healthcare providers. Still, with so many parties involved and so many potential points of weakness, the task is huge.
Can implantable medical devices be hacked?
According to Market Data Forecast, the market for implantable medical devices (implantable cardiac stimulators, heart monitors, neurostimulators, hearing aids, or insulin pumps) will reach $33.6 billion in 2025. Until recently, medical devices were immune to cyberattacks due to their inability to communicate. This is not the case anymore.
Already in 2014, the FDA published security guidances relative to the cybersecurity of medical devices. These guidelines for manufacturers were completed in 2016 and 2018. Device manufacturers were invited to include security and usability considerations into an effective cybersecurity plan during the earliest design and development stages.
In 2019, Insulin pumps implanted in 4,000 patients were recalled due to their potential vulnerability to cyberattacks. In 2017, 465,000 pacemakers were found vulnerable. The same year, the Cybersecurity and Infrastructure Security Agency (CISA) also issued a warning for Drug Infusion Pumps.
Most of these threats being linked to numerous factors such as:
- Bluetooth connectivity,
- Windows,
- Cloud,
- Wireless keyboards.
Just as your Bluetooth headset or phone, connected medical devices are inherently vulnerable to hackers. The difference is that human lives are at risk. Security risks are real and need to be addressed. One of the most striking examples being that Former Vice-President Dick Cheney’s pacemaker Bluetooth connectivity was preventatively turned off to avoid being hacked by terrorists.
What are the solutions for cybersecurity in healthcare?
There is no magic bullet to improve cybersecurity in healthcare. The first step is to acknowledge the threats and to change the culture.
- Hospital workers and users should be aware of the potential risks and react accordingly. It all starts with robust passwords that are changed regularly. Every day, every website is being attacked. 2 Factor Authorization (2FA) is an easy and efficient way to regulate access,
- Limiting the access and the possibility for employees to install new software,
- Secure the Wi-Fi access and keep up to date any firewalls,
- Backup the data regularly,
- Define and implement data recovery plans,
- Follow strict guidelines when it comes to handling personal information (HIPAA, GDPR),
- Ensure that medical devices companies considered cyber-security paramount when developing a new product,
- Assess risk regularly and maintain the systems up-to-date
Maintaining the security of patient personal information is becoming as important as providing the best possible care. The cost of a breach of a single patient’s medical record has been estimated to be more than $400. Ensuring top-notch cyber-protection comes at a price and needs continuous implementation but is a must-have to ensure that confidence in the healthcare system is maintained.