Reported cyberattacks on health care organizations have increased 40 percent since 2013. The increase in the sector is a combination of three factors. First, medical records theft is not discovered as quickly as other types of data breaches. Second, health care provider networks are some of the easiest to hack.
The biggest reason is that medical records are worth much more than most types of stolen data, including credit card information. In fact, some say stolen health information is worth 10 to 20 times the amount of credit card numbers on the black market. Hackers use the data to fraudulently purchase prescription drugs to resell and file claims with insurers.
Here are the common methods that health care data is stolen:
Theft and loss of electronic devices. For all the attention paid to hacking into network servers, nearly two-thirds of healthcare breaches since 2010 have resulted from lost or stolen devices. In one example, Adult & Pediatric Dermatology of Concord, Massachusetts was investigated and fined for a stolen thumb drive containing the unencrypted personal health information of more than 2,000 patients.
Through vendors and business partners of health organizations. Since HIPAA notification rules took effect in 2009, there have been well over 1,000 incidents reported that affected at least 500 records. About 25 percent of those reports involved business associates of a covered entity. For example, in 2011, TRICARE, a military health care program, had unencrypted backup computer tapes with records for nearly 5 million people stolen. The records were managed by a TRICARE vendor, Science Applications International Corp. HIPAA’s compliance requirements include business associates of covered entities, thought the legal burden of protecting patient data falls on the health care institution, regardless of where the breach originated.
Medjacking. Institutions are now vulnerable to a relatively new threat called Medjacking, or medical device hijacking. Attackers have discovered entries into an organization’s main networks by exploiting outdated and unpatched medical devices, such as X-ray scanners, that are connected to the Internet. By penetrating these devices, hackers can build back doors into main systems.
Phishing attacks. One of the largest health care breaches ever – against Anthem – was reportedly the result of successful phishing scheme using bogus domain names. In Anthem’s case, its attackers sent emails to Anthem employees with the domain name “we11point.com,” which is similar to Anthem’s former identity, WellPoint. The attackers were able to lure unsuspecting victims to fake sites and obtain logins and passwords.