The Healthcare Industry: 2014

The Healthcare Industry: 2014's Biggest Data Breach Victim

For many, 2014 has been the year of the data breach. While media attention was largely focused on breaches at major retailers, it was actually the healthcare industry that suffered the most substantial blow this year. According to the Identity Theft Resource Center, the medical industry accounted for 43 percent of all data breaches for the calendar year. And, the Ponemon Institute reported an estimated 1.84 million Americans were victims of medical identity theft last year. It looks like there’s no slowing for healthcare industry breaches, as we can expect an equally active year looking forward.

Starting on January 1, 2015, under provisions set by the 2009 American Recovery and Reinvestment Act, healthcare organizations will be required to show they have implemented digital medical records in order to continue to receive funding from Medicaid and Medicare. With this push to get more and more medical records online, it is essential that we understand why healthcare organizations have been under attack in the past and, more importantly, what these organizations can do to protect themselves from cyber criminals in 2015.

Why are healthcare organizations being targeted?

One of the key reasons healthcare organizations are being targeted with alarming frequency is the financial appeal of a medical identity to cyber criminals. According to the World Privacy Forum, a medical identity, which includes private information like Social Security numbers and health plan ID numbers, is worth about $50 on the online black market. By comparison, a cyber criminal can fetch around $1 for a Social Security number and $3 for an active credit card. The high value of a medical identity makes it incredibly desirable to high-tech criminals looking to make a quick buck.

Another reason for the growth of medical identity theft is the rapidly approaching January 1 deadline for healthcare facilities to show “meaningful use” of electronic health records (EHRs). This deadline is causing many healthcare facilities to scramble to transition existing paper records online in order to avoid penalties. In the process, these facilities are sometimes failing to ensure security best practices. This is especially evident for smaller healthcare facilities. These facilities don’t have the staff or resources that larger organizations have which can put a strain on resources and leads to oversights in security efforts.

What steps are being taken to ensure security now?

This October, CSID, in partnership with Research Now, conducted a survey to gain insight into what measures healthcare facilities are currently taking to protect themselves ahead of the inevitable shift to digital records.

While an overwhelming majority of respondents (85 percent) felt that their systems adequately limit the risk of a breach, only 17 percent of organizations are worried about losing patient data in the case of a breach. Even more worrisome, 41 percent of the surveyed healthcare organizations spend 10 percent or less of their IT budget on protecting patient data against a breach.

The survey also found that roughly half of employees at healthcare organizations that have access to EHRs also have access to their personal email at work – making it easy for patient data to leave a controlled environment undetected.

While most healthcare organizations showed they are implementing basic security measures like firewalls, anti-virus software and strict password enforcement, only 32 percent said they use multi-factor authentication and only 27 percent said they actively vet third-party vendors.

The results of the survey demonstrate that there is plenty of room for healthcare organizations to improve upon their security. With the move to digital records, it’s clear that data breaches will continue to threaten the healthcare industry. So, as we look to 2015:

What can healthcare organizations do to protect themselves?

Make security education for employees a priority: According to CSID’s survey, nearly half of healthcare organizations do not currently have programs in place to educate employees on how medical identity theft happens. Increasing employee education will arm individual employees with the tools they need to protect patient data.

Audit third-party vendors: Not enough healthcare organizations are auditing third party vendors, which is essential for increasing security. Any outside vendor that has access to patient information should be thoroughly vetted.

Track, encrypt and password-protect mobile devices hosting patient information: Organizations should create a BYOD policy that puts strict limits on how patient data can be viewed and transmitted on devices.

Collaborate with other healthcare organizations: In a closed environment, share resources with other organizations and exchange ideas for improving security measures.

Have a response plan: In the event of a data breach crisis, executives and employees should be able to reference an up-to-date plan for guidelines on policies and procedures.

Data breaches will not go away in 2015. Cyber criminals will continue their attempts to steal medical identities, especially as so much of our physical world makes the transition to digital. However, with increased education, a more substantial vetting process for third party vendors, the tracking of mobile devices, increased collaboration among healthcare organizations, and a solid response plan, healthcare organizations can better defend themselves against these cyber threats.

About the Author

Joe Ross is the president and co-founder of CSID.


  • Maximizing Your Security Budget This Year

    The Importance of Proactive Security Measures: 4 Stories of Regret

    We all want to believe that crime won’t happen to us. So, some business owners hope for the best and put proactive security measures on the back burner, because other things like growth, attracting new customers, and meeting deadlines all seem more pressing. Read Now

  • 91 Percent of Security Leaders Believe AI Set to Outpace Security Teams

    Bugcrowd recently released its “Inside the Mind of a CISO” report, which surveyed hundreds of security leaders around the globe to uncover their perception on AI threats, their top priorities and evolving roles, and common myths directed towards the CISO. Among the findings, 1 in 3 respondents (33%) believed that at least half of companies are willing to sacrifice their customers’ long-term privacy or security to save money. Read Now

  • Milestone Announces Merger With Arcules

    Global video technology company Milestone Systems is pleased to announce that effective July 1, 2024, it will merge with the cloud-based video surveillance solutions provider, Arcules. Read Now

  • Organizations Struggle with Outdated Security Approaches, While Online Threats Increase

    Cloudflare Inc, recently published its State of Application Security 2024 Report. Findings from this year's report reveal that security teams are struggling to keep pace with the risks posed by organizations’ dependency on modern applications—the technology that underpins all of today’s most used sites. The report underscores that the volume of threats stemming from issues in the software supply chain, increasing number of distributed denial of service (DDoS) attacks and malicious bots, often exceed the resources of dedicated application security teams. Read Now

Featured Cybersecurity


New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • ResponderLink


    Shooter Detection Systems (SDS), an company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3