The Healthcare Industry: 2014

The Healthcare Industry: 2014's Biggest Data Breach Victim

For many, 2014 has been the year of the data breach. While media attention was largely focused on breaches at major retailers, it was actually the healthcare industry that suffered the most substantial blow this year. According to the Identity Theft Resource Center, the medical industry accounted for 43 percent of all data breaches for the calendar year. And, the Ponemon Institute reported an estimated 1.84 million Americans were victims of medical identity theft last year. It looks like there’s no slowing for healthcare industry breaches, as we can expect an equally active year looking forward.

Starting on January 1, 2015, under provisions set by the 2009 American Recovery and Reinvestment Act, healthcare organizations will be required to show they have implemented digital medical records in order to continue to receive funding from Medicaid and Medicare. With this push to get more and more medical records online, it is essential that we understand why healthcare organizations have been under attack in the past and, more importantly, what these organizations can do to protect themselves from cyber criminals in 2015.

Why are healthcare organizations being targeted?

One of the key reasons healthcare organizations are being targeted with alarming frequency is the financial appeal of a medical identity to cyber criminals. According to the World Privacy Forum, a medical identity, which includes private information like Social Security numbers and health plan ID numbers, is worth about $50 on the online black market. By comparison, a cyber criminal can fetch around $1 for a Social Security number and $3 for an active credit card. The high value of a medical identity makes it incredibly desirable to high-tech criminals looking to make a quick buck.

Another reason for the growth of medical identity theft is the rapidly approaching January 1 deadline for healthcare facilities to show “meaningful use” of electronic health records (EHRs). This deadline is causing many healthcare facilities to scramble to transition existing paper records online in order to avoid penalties. In the process, these facilities are sometimes failing to ensure security best practices. This is especially evident for smaller healthcare facilities. These facilities don’t have the staff or resources that larger organizations have which can put a strain on resources and leads to oversights in security efforts.

What steps are being taken to ensure security now?

This October, CSID, in partnership with Research Now, conducted a survey to gain insight into what measures healthcare facilities are currently taking to protect themselves ahead of the inevitable shift to digital records.

While an overwhelming majority of respondents (85 percent) felt that their systems adequately limit the risk of a breach, only 17 percent of organizations are worried about losing patient data in the case of a breach. Even more worrisome, 41 percent of the surveyed healthcare organizations spend 10 percent or less of their IT budget on protecting patient data against a breach.

The survey also found that roughly half of employees at healthcare organizations that have access to EHRs also have access to their personal email at work – making it easy for patient data to leave a controlled environment undetected.

While most healthcare organizations showed they are implementing basic security measures like firewalls, anti-virus software and strict password enforcement, only 32 percent said they use multi-factor authentication and only 27 percent said they actively vet third-party vendors.

The results of the survey demonstrate that there is plenty of room for healthcare organizations to improve upon their security. With the move to digital records, it’s clear that data breaches will continue to threaten the healthcare industry. So, as we look to 2015:

What can healthcare organizations do to protect themselves?

Make security education for employees a priority: According to CSID’s survey, nearly half of healthcare organizations do not currently have programs in place to educate employees on how medical identity theft happens. Increasing employee education will arm individual employees with the tools they need to protect patient data.

Audit third-party vendors: Not enough healthcare organizations are auditing third party vendors, which is essential for increasing security. Any outside vendor that has access to patient information should be thoroughly vetted.

Track, encrypt and password-protect mobile devices hosting patient information: Organizations should create a BYOD policy that puts strict limits on how patient data can be viewed and transmitted on devices.

Collaborate with other healthcare organizations: In a closed environment, share resources with other organizations and exchange ideas for improving security measures.

Have a response plan: In the event of a data breach crisis, executives and employees should be able to reference an up-to-date plan for guidelines on policies and procedures.

Data breaches will not go away in 2015. Cyber criminals will continue their attempts to steal medical identities, especially as so much of our physical world makes the transition to digital. However, with increased education, a more substantial vetting process for third party vendors, the tracking of mobile devices, increased collaboration among healthcare organizations, and a solid response plan, healthcare organizations can better defend themselves against these cyber threats.

About the Author

Joe Ross is the president and co-founder of CSID.


  • Return to Form

    My first security trade show was in 2021. At the time, I was awed by the sheer magnitude of the event and the spectacle of products on display. But this was the first major trade show coming out of the pandemic, and the only commentary I heard was how low the attendance was. Two representatives from one booth even spent the last morning playing catch in the aisle with their giveaway stress balls. Read Now

    • Industry Events
    • ISC West
  • Live from ISC West: Day 1 Recap

    The first day of ISC West 2023 is in the books, and it’s safe to say that vendors have brought their A-game to Las Vegas. The booths of this year’s Live From partners—NAPCO Security, Alibi Security, Vistacom, RGB Spectrum, and DoorKing—were swamped all day long. Here’s a brief recap of just a few highlights from each partner’s presence at the show. Read Now

    • Industry Events
    • ISC West
  • Turn on the AC, ISC West is Hot

    Nothing warm about the Las Vegas weather outside. It is cold, and it was raining after the opening day. No one seemed to care inside the convention center. The hall was packed with inquisitive security professionals. Read Now

    • Industry Events
    • ISC West
  • Live From ISC West 2023: Day 1

    ISC West 2023 in Las Vegas, Nevada, has officially begun! Make sure to keep an eye on Security Today’s ISCW Live 2023 page, as well as our associated Twitter accounts—@SecurToday and @CampusSecur—for the latest updates from the show floor at the Venetian Expo. Read Now

    • Industry Events
    • ISC West
Most   Popular

Featured Cybersecurity

New Products

  • PACE® Long Range Ethernet Solutions

    PACE® Long Range Ethernet Solutions

    Altronix introduces the newest addition to its portfolio of PACE® Long Range Ethernet Solutions. 3

  • Camden Door Controls CV-603 2 Door Bluetooth Access Control System

    Camden Door Controls CV-603 2 Door Bluetooth Access Control System

    his app-based system is designed to provide ‘best in class’ security of doors and gates, with up to 2,000 users. The intuitive programming app is Apple® and Android® compatible, with easy to use system set-up, user administration, downloadable audit trail and data back-up. 3

  • BriefCam v6.0

    BriefCam v6.0

    BriefCam has released BriefCam v6.0, which introduces the new deployment option of a multi-site architecture. This enables businesses with multiple, distributed locations to view aggregate data from all remote sites to uncover trends across locations, optimize operations and boost real-time alerting and response – all while continuing to reap the benefits of BriefCam's powerful analytics platform for making video searchable, actionable and quantifiable. 3