For cyber criminals, Personal Health Information (PHI) is a highly valuable trove of data that can be sold for far more than any other personal records. A patient’s PHI contains their social security number, addresses, phone number, insurance information, prescriptions, diagnosis, as well as billing information. This creates an opportunity for cyber criminals to make big money in a PHI breach. For healthcare organizations, on the other hand, it poses the threat of significant losses. Healthcare security is becoming increasingly important.
The Importance of Protecting PHI
PHI is a unique data source because it contains information about a person’s identity that cannot be altered. Once a diagnosis is rendered, it is permanent. Similarly, prescribed medication, allergies, mental health records, and other medical data is unchangeable. For this reason, PHI is subject to strict confidentiality and disclosure requirements that don’t apply to most other industries.
Criminals Will Pay Up to $1000 for a Single Medical Record
When a person’s credit card or account number is stolen and used fraudulently, a quick trip to the bank and a change of digits can solve the problem. However, unalterable medical information can be used for many malicious purposes, from blackmail to stealing an identity. This is why cyber criminals are willing to pay only 25 cents for a credit card number, but they would pay up to $1000 for a single medical record.
Unique Cyber Security Issues in Healthcare
While healthcare organizations must meet stringent requirements to protect patient data, compliance doesn’t necessarily mean that PHI is secure. As technology evolves quickly and the healthcare industry relies more on connected medical devices, servers and PCs, regulations can’t keep up with hackers’ sophisticated game. Other industries do not rely on such an extended ecosystem of connected technology — especially when it comes to the life or death situations that are common in healthcare.
While all modern industries face cyber security challenges, the healthcare sector is a huge target for criminals. The extensive data found in patient records, the vast ecosystem of possible attack surfaces, and the life or death situation created by a breach makes healthcare organizations particularly vulnerable. For these reasons, the healthcare industry can count on cyber criminals to be more frequent and more persistent when attempting to hack into their systems.
The Cost of a PHI Breach
After a PHI breach, healthcare organizations must take a number of actions to contain the breach and meet compliance regulations, and these expenses add up. Organizations must pay for regulatory fines, notification expenses, identity theft repair, and credit monitoring.
The Average Cost of a Healthcare Data Breach is $408 Per Health Record
The number of records involved in a single data breach at a healthcare organization contributes to the monumental cost and the scale of the aftermath. According to Protenus’ 2020 Breach Barometer, over 40 million patient records were breached in 2019 alone. At $408 per health record, costs add up quickly even for the smallest breaches.
Healthcare Data Breaches Cost 65% More Than Data Breaches in Other Sectors
As soon as a person is born, their PHI is stored within the IT infrastructure of a healthcare organization. Since the simple act of being born often makes a person an active participant in the healthcare system, this means that most people are vulnerable to a healthcare data breach.
In fact, according to the American Academy of Pediatrics, “Children can be especially vulnerable [to healthcare data breaches]. It may take years or even decades for them to be made aware that their personal information has been compromised, especially if their healthcare provider is unaware of a breach.”
The healthcare system is not only uniquely vulnerable to cyber-attacks, its monumental database of valuable information makes it a massive target for hackers. This results in unparalleled costs in the aftermath of a data breach.
Preventing a Data Breach
Whether you are an app developer for connected medical devices or you are an information security officer at a large healthcare organization, it is your job to protect valuable patient information. Automated, intelligent security solutions are key, and performing vulnerability assessments regularly is critical. Ensuring proper cyber security hygiene from end-to-end is an organization’s best bet for preventing a PHI breach and protecting all aspects of the vast healthcare ecosystem.
Protenus: 2020 Breach Barometer
Ponemon Institute: 2019 Cost of a Data Breach Report