As banks and large retailers have taken steps to harden their networks, hackers have turned their attention to healthcare providers. Just recently, Premera announced a breach that took place last year may have exposed the personal and financial data of approximately 11 million customers. Last month, the nation’s second largest health insurance company reported the information of approximately 80 million people was exposed to hackers in a breach discovered on January 29th.
There are several reasons hackers have focused their attention on healthcare companies, even though companies in the industry don’t usually handle financial transactions.
Healthcare companies keep patients’ personal and financial data. Many patients use online payment options, which means their records may have information such as bank accounts and debit/credit card numbers. Even without financial data, criminals can use personal data to commit crimes such as identity theft and insurance fraud. They can also use email addresses to target patients for phishing scams. While email addresses are easy to change, other information such as names, birth dates, physical addresses and social security numbers are much more problematic if compromised.
Healthcare companies keep and share patient records. As part of the Affordable Care Act, healthcare providers are required to maintain their records electronically and share the data with other healthcare providers. This means if a patient must visit a doctor while on a trip or sees a specialist at another facility, the new doctor can access their records and information. This is important because patients can’t always tell the new provider important details like life-threatening allergies to medications.
Sharing information has real benefits for providers and patients, but it also increases risk of exposure. Because healthcare providers share data, if a criminal uses a patient’s data to obtain prescription drugs, the false prescriptions could become a part of the patient’s record and affect a doctor’s medical decisions in the future. For example, some drugs are incompatible. If a false record shows a patient is taking a drug that is not compatible with the preferred medication, a doctor may be forced to choose a less effective alternative medication.
Healthcare companies are a soft target. Companies in the healthcare industry are more focused on regulatory compliance than security. In the wake of the ACA many small software companies sprang up offering patient record and database software. Some healthcare companies developed their own software, but many opted to purchase off-the-shelf products from these companies. Many have gone out of business or been absorbed into other software companies, leaving the healthcare provider without security updates.
Even when security problems are known and updates are available, they often go for long periods without being patched. WhiteHat Security recently revealed only 24% of known security flaws in the healthcare industry are patched at any given time. Even more troubling, the average length of time for a healthcare site to fix security problems is a whopping 158 days.
Healthcare companies must take steps to harden their networks against hackers. Security breaches can have long-lasting effects on a patient’s financial and physical health.