A Hacker’s Dream … A Hospital’s Nightmare
Hospitals and healthcare systems have featured prominently in recent news headlines regarding data breaches. It is understandable, then, that patients are concerned. The Unisys Security Index™, the only recurring snapshot of security concerns conducted globally, reports that in 2018, fears of identity theft (named by 68% of respondents) and bankcard fraud (named by 66% of respondents) were ranked highest among consumers.
What is it that makes healthcare records so attractive to hackers? In a word: money. Whereas the market price on the dark web for stolen credit card numbers ranges from $.50 to $5.00 per number, personal health information (PHI) can bring in $10 to $50 per record.1 When consumer data is stolen from a healthcare organization, it can be used to build fake identities for the purpose of defrauding healthcare payers, channeling rebates meant for healthcare providers, and supporting forged visa applications.
This begs a second question: why do hackers have such a good track record attacking hospitals and healthcare systems? The answer to this question is two-fold. First, healthcare is a laggard industry from a technology adoption standpoint. Consequently, the robust security stance that one finds in other industries (e.g., Finance or Retail) is typically lacking in healthcare. Gaps and vulnerabilities abound and hackers are swift to take advantage of them.
Second, there is a great deal of latency in healthcare processes. Healthcare billing systems are often fragmented with no single bill, and billing is often not complete for up to a month post-discharge. Therefore, if a hacker steals that person’s data, a month or more can go by before anyone even realizes that the data has been stolen. During that month, the hacker can use the data to build an independent persona with which he/she can make financial transactions and purchases. In contrast, when a credit card is stolen, the breach can be identified almost immediately, leading to rapid account closure.
Hospitals and healthcare systems need to take swift and significant action to protect the privacy and security of their patients’ data. To learn more – including the important role that unsecured medical devices play in cybersecurity – read Why Hospitals are a Hacker’s Dream Come True: A Review of the 2018 Unisys Security Index™
1“Cybersecurity, Cybercrime and Data Breaches: Healthcare Under Attack,” eFax Corporate, 2018.