As large-scale data breaches continue to affect a variety of industries, stricter federal requirements for the reporting of healthcare cyberattacks have provided a clearer picture of when patient data is stolen or compromised. These new numbers show that health information is increasingly being targeted by cybercriminals, with 43 percent of major data breaches in 2013 affecting medical organizations, according to the Identity Theft Resource Center.
Since 2009, when data breach reporting requirements went into effect, the major breach reports (those affecting 500 or more people) database of the U.S. Department of Health and Human Services has identified 944 incidents involving the personal information of more than 30 million people. The exploitation of the majority, 17.4 million, of those records was tied to theft, according to The Washington Post's analysis of HHS data.
Healthcare data breaches on the rise, insufficient security to blame
Last year was the first time the healthcare industry topped the Identity Theft Resource Center's list of most targeted sectors, and they are on pace to do so again in 2014. Medical organizations make appealing targets because they store the payment information of all their patients, as well as in-depth records that can be used to seek reimbursement for healthcare services, Judy Hanover, an IDC analyst who covers healthcare, noted in an interview with The Wall Street Journal. According to Hanover, cybercriminals seek to obtain patient data to fraudulently file insurance claims or impersonate patients to receive medical services.
Another reason healthcare providers are frequently targeted by cybercriminals is the general lack of security measures taken in the industry. A recent study by BitSight Technologies ranked the cybersecurity of the medical sector below retail and other industries. The low rating may be in part to relatively small budgets many medical organizations dedicate to security. According to Hanover, spending on security software and services will make up less than 2 percent of total IT spending for U.S. healthcare providers this year.
Healthcare organizations looking to make the most of their IT budgets should consider implementing security information and event management services. A concierge SIEM solution monitors enterprise networks around the clock to detect any malicious or anomalous behavior. Any suspicious events are analyzed and the information is provided to the company to help create a stronger, more informed cybersecurity policy.