Data Breaches: A Growing Epidemic in Healthcare

In my first blog, Protecting Patient Data: A Guide to HIPAA Compliance, I outlined the risks for healthcare organizations that fail to comply with HIPPA regulations. The cybersecurity risks to healthcare organizations, though, are far more complex than issues of compliance. Healthcare data breaches have been the most expensive for 14 consecutive years, and the costs are on the rise. As of August 2024, there have been 491 data breaches with over 58 million patient records known to have been breached. These breaches have severe consequences, such as compromised patient privacy and hard financial losses for healthcare. According to IBM’s, Cost of a Data Breach  2024 report, the average cost of a breach was$4.88 million dollars.

Data breaches are a growing concern in the healthcare industry, which has become a prime target for cybercriminals. However, data breaches are not the only type of cyber threat facing the healthcare industry. 

Let’s take a look at emerging healthcare threats and trends:

Ransomware Attacks

In 2021, ransomware attacks accounted for 46% of the breaches in the healthcare industry. As Christian Dameff, Emergency Physician and Clinical Informatics Fellow at University of California San Diego, stated in his RSAC 2024 podcast session, “When ransomware attack hits, efficiency goes out the window, the time it takes to get Labatory result or imaging, skyrockets.” Ransomware attacks not only compromise patient data and privacy but can also disrupt healthcare services, leading to delays or shutdowns. This can leave many patients unattended, regardless of the severity of their condition. 

Internet of Things (IoT)

IoT technology is transforming healthcare by using interconnected devices that collect, transmit, and analyze health-related data. However, IoT devices often lack built-in security and standardization, creating privacy and data challenges. These devices are often connected to larger hospital networks which can be linked to e-PHI, and this interconnectedness increases the risk of cyberattacks.

Artificial Intelligence (AI) and Machine Learning (ML)

Although AI and ML provide many benefits it also presents concerns and challenges. Cybercriminals have improved their attack tactics such as phishing, smishing, and voice cloning. As Errol Weiss, Chief Security Officer, Health-ISAC said in a RSAC 2024 podcast session, “We have seen large scale attacks leveraging deepfakes and we will see more and more of this as time goes on.” 

AI can also be used by hackers to access patient data and disrupt systems. Compromised patient data is a major concern but the biggest risk, as Darren Shou, Chief Strategy Officer, RSAC, said in the podcast session with Weiss, “Cyberattacks on healthcare systems can also costs patients' lives.”

Cloud Computing

Although cloud computing offers patients convenient online access to their health information, it presents significant challenges due to its complex architecture. A 2021 Journal of Medicine and Life study found the most common cloud security challenges in healthcare include information confidentiality, data security and availability, data integrity, and network security.

The cloud’s complex architecture can also make it difficult for healthcare organizations to comply with industry standards such as GDPR, HIPPA, PCI DSS, SEC Cybersecurity rules, and others.

Shield Your Data: Best Practices for Healthcare Security

Below are some best practices healthcare organizations and employees can follow:

Data Encryption: Since most patient data is stored online, healthcare organizations must encrypt their data both in transit and at rest. If  cybercriminals get ahold of encrypted patient data, they will not be able to read it unless they can decrypt it (which is challenging), so encryption provides an extra layer of security.

Access Control: Healthcare organizations should implement an access control system and policy that only allows authorized users to access e-PHI and other personal patient information. Granting access is just a piece of the process, an organization needs to regularly monitor for changes, verify users, and remove access when it’s no longer needed in order to detect unauthorized users.

Data Loss Prevention (DLP) Measures: DLP provides endpoint protection for effective control of sensitive data from a unified platform. By minimizing the time spent on containing data leaks, DLP saves the security team valuable time. DLP ensures compliance with privacy regulations and maintains the confidentiality and integrity of patient records.

Incident Response Plan: Healthcare organizations should develop a comprehensive incident response (IR) plan to address data breaches and other security incidents. Part of that IR plan should address detecting potential threats, as well as a plan for responding to data breaches or ransomware attacks. Organizations that lack an adequate IR plan may spend an additional nine days and $600,000 on average to find, stop, and recover from a data breach. 

Employee Training and Awareness: This step is crucial. Healthcare organizations must train all staff (e.g., nurses, doctors, nursing assistants), not just the IT team , to educate them about phishing emails, recognize potential threats, and understand how to respond to data breaches and ransomware attacks. This will help shift healthcare organizations in a positive, proactive direction.

The Road Ahead: A Call to Action for Healthcare Security

By complying with HIPAA regulations and adopting cybersecurity best practices, healthcare providers can protect patient safety, data, and privacy. In the face of increasing cyberattacks, healthcare organizations must become more resilient not only to protect their brand and reputation  but also to ensure the safety of patient care.

The problem of cyberattacks in healthcare will not disappear anytime soon. As a community, we need to collaborate with the healthcare industry to develop robust solutions for protecting patient data and safety.