Compared to other industries, healthcare is particularly vulnerable to cyber attacks with the threats to health information continuing to mount as the industry moves to adopt electronic health records. Earlier this month, the FBI’s Cyber Division issued a notice warning that healthcare systems and medical devices are at risk for increased cyber intrusions for financial gain.
“Cyber actors will likely increase cyber intrusions against healthcare systems–to include medical devices–due to mandatory transition from paper to electronic health records, lax cybersecurity standards, and a higher financial payout for medical records in the black market,” according to the FBI. “The deadline to transition to EHR is January 2015, which will create an influx of new EHR coupled with more medical devices being connected to the Internet, generating a rich new environment for cyber criminals to exploit.”
The law enforcement agency goes on to say that the healthcare industry “is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures, much less against more advanced persistent threats” and “is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”
In its annual Internet Security Threat Report released earlier this month, information protection vendor Symantec revealed that 37 percent of all data breaches in 2013 were in healthcare–the largest number of disclosed data breaches for any industry. In addition, the company found that more than 6 million identities were exposed in 2013 in the healthcare industry alone.
“The impact that this could have is significant because it could cost a consumer thousands of dollars to have their identity stolen and it can also put their healthcare coverage at risk, leading to legal problems or inaccurate medical records,” says Satnam Narang, security response manager at Symantec.
With unauthorized access to health and personal information such as Social Security numbers, these kinds of data breaches could potentially result in false claims being filed, free medical treatment and ordering of prescription drugs, according to Narang. However, the threats to health information are not restricted to attacks on networks, as unencrypted laptops and other mobile devices also are at risk, he adds.
The Department of Health and Human Services Office for Civil Rights announced on April 22 that it collected nearly $2 million to resolve potential HIPAA violations from two firms for failure to secure protected health information on laptops and mobile devices.
