Healthcare Data: An Increasingly Valuable Target for Hackers

Healthcare data breaches are increasing year after year, without any indicator of slowing down anytime soon. In order for healthcare IT professionals to invest in protecting patient data, it is important to understand why healthcare data is so valuable to hackers. 

Healthcare data often contains all of an individual’s personally identifiable information (PII), unlike a single piece of personal data that may be stolen in a financial breach. In fact, a recent Trustwave report suggests that healthcare data may be valued at up to $250 per record on the black market, compared to $5.40 for the next highest value record (a credit card). Because of healthcare data’s high degree of desirability, industry IT professionals must take steps to safeguard patent data. 

Healthcare Data Breach Statistics

If the sheer cost of a breached healthcare record versus that of a credit card isn’t enough to make you reevaluate your IT budget and approach to cybersecurity, take a look at these staggering statistics:

• 59% of reported healthcare data breaches in 2019 were due to hacking. (Fortified Health Security)
• Healthcare data breaches are the most expensive for any industry at a staggering $7.1 million. (IBM)
• Privilege misuse and human error are the two most prominent breach incident patterns within the healthcare industry. (Verizon)
• Hospitals spend 64% more on advertising/marketing (damage containment) after a breach. (American Journal of Managed Care)

If healthcare data ends up in the wrong hands it can be used to create fake IDs to buy medical equipment or drugs that hackers can resell. Stolen PHI may also be used with a false provider number to file fraudulent claims with payers. 

The real kicker though is that medical identity theft is often not immediately detected, giving hackers more time to use stolen credentials, unlike credit cards that are instantly flagged upon detecting fraud. 

Digital Healthcare Trends Accelerate the Risk to Patient Data

Advances in modern medical technology and information systems have transformed the healthcare industry. Digital health workflows allow healthcare provider teams to more easily coordinate care with providers in other locations and interact with their patients, ultimately leading to better outcomes. But these trends also introduce significant risks to patient data. 

Because of the number of interconnected devices in healthcare and the growing need for providers to share patient data across devices and with third-party vendors, the attack surface has grown exponentially and opportunistic attacks are becoming more and more common. 

Sharing PHI Using Electronic Medical Records

One of the most common methods of sharing healthcare data is through electronic medical records (EMRs). EMRs are an electronic version of the patient charts in a healthcare provider’s office and contain the medical history of the patient in that one practice, allowing healthcare providers to track data—such as blood pressure or vaccinations—over time, identify which patients are due for checkups, and improve the overall quality of care within the practice

The challenge with EMRs is that the data stored in these systems cannot easily be shared beyond the practice, often resulting in having to print and mail the patient’s records to other healthcare providers. Electronic health records (EHRs) address this challenge.

EMR vs. EHR: What’s the Difference

The main difference between EMRs and EHRs is that EMRs are for use within a practice, whereas EHRs are a more comprehensive record that travels with the patient and are designed to be accessed by all people involved in the patient’s care—including the patients themselves. EHRs can be shared amongst different provider networks, labs, and specialists, collecting information from each collaborator along the way. 

The ability to share patient health history is a powerful tool and a responsibility that is not to be taken lightly when it comes to security. Widespread adoption of EMR and EHR systems has served a key role in making PHI accessible and secure. However, many care scenarios require immediate access to PHI, so health workers often take the path of least resistance and use email and file systems to share it, opening up yet another surface for attack.

Securing the Network isn’t Good Enough

Even with EMRs and EHRs, the demands of modern healthcare organizations and the steady drumbeat of data breaches reveal the inadequacies of traditional approaches to protecting patient data throughout sharing workflows and the course of care.  

The traditional approach to healthcare IT security involves securing the network, not the data itself. With this approach, a patient’s medical record is secure when it is in the hospital, but not when emailed to the patient themself or a provider at another practice. What happens when a tablet is lost or stolen? Once data leaves the network, it is no longer secure. This presents a significant challenge for healthcare providers who often need to collaborate across network boundaries in order to deliver the best patient care. 

Spending Money on the Wrong Healthcare Data Protection Solutions

Regulations such as HIPAA have trained the industry to follow strict, network-centric approaches that focus on securing access to networks and computers. Most healthcare providers encrypt patient data at rest and, inside the network, data is secure. However, when sharing patient data outside the network, it is at risk of exposure.

Thanks to the proliferation of connected devices—including tablets and smartphones—the way in which healthcare providers share data has changed, and the investment into data security must change along with it. 

Since HIPAA became law nearly 30 years ago, security has long been a line item in healthcare IT budgets. However, healthcare IT spending is projected to grow by 20% or more this year alone. Despite increased budgets (and the increasing cost of breached healthcare records), cybersecurity issues are not the biggest driver of technology spending. 

Reduce Your Risk by Sharing ePHI Securely

Given the frequency of attacks on the healthcare industry, IT departments need to act as if a threat to their network and electronic PHI (ePHI) is imminent and respond as such. By securing the data itself, IT teams can empower providers to continue sharing healthcare data, without putting patients’ privacy at risk of a breach.

It’s not enough these days to put a lock on your EMR or EHR and call it secure. The reality is that health data must be protected in a way that allows for control of who can access the data, no matter where it is shared. Through a data-centric approach to healthcare data security, providers and patients can both rest assured that even if sensitive data does end up in the wrong hands, access can be revoked and the damage of a breach can be minimized. 

Virtru for Secure PHI Sharing

Virtru’s email and file solutions offer data-centric security via end-to-end encryption that prevents unauthorized access and enables persistent control and visibility as PHI is shared. With data-centric security in place, protection, control, and visibility persist throughout the full care lifecycle, enabling better patient engagement and more rapid care collaboration, without sacrificing patient confidentiality and compliance. 

With Virtru’s off-the-shelf solutions for Gmail, Outlook, and Google Drive, providers can easily and securely share PHI with patients, other providers in the network, and specialists outside the network via email or file sharing.