Healthcare Data Survey Shows Providers Are Easy Prey For Hackers
The cost of data breaches could cost the healthcare industry $4 Billion in 2019, according to a comprehensive industry survey published in November. Respected market analysis firm Black Book Market Research published the results from its poll of nearly 2,900 cybersecurity experts who work in the medical data field, and the news is not encouraging for the healthcare providers the experts serve. “Thus far in 2019, healthcare providers continued to be the most targeted organizations for industry cybersecurity breaches with nearly 4 out of 5 breaches, whereas successful attacks on health insurers and plans maintained with more sophisticated information security solutions with little change year to year,” Black Book said in a press release. “Over half (53%) of all provider breaches were caused by external hacking according to respondents.” The survey also found that 93 percent of healthcare organizations have suffered at least one data breach since the third quarter of 2016, and more than half have suffered at least five breaches during the same time period. Those doctors, clinics, and hospitals are unprepared for and mostly unaware of the threats they face, according to Black Book’s survey. Fifty-eight percent of the respondents said they didn’t hire a security consultant until after a “cybersecurity incident,” while 94 percent haven’t upgraded their security systems since their last incident, and 35 percent hadn’t done any security scans prior to being targeted by hackers. Black Book’s founder says the problem is compounded by companies’ efforts to maximize profits, which means minimal investment in budget items that don’t generate revenue—like data security. Physician organizations reported that just one percent of their IT budgets were earmarked for cybersecurity. This, however, is textbook “penny wise and pound foolish” thinking, with many egregious examples in recent history to prove the point. Medical billing company American Medical Collections Agency (“AMCA”) was a trusted vendor to many large healthcare providers across the United States. Founded in 1977, its contracts reached millions of patient files and accounts worth billions of dollars. Yet over the course of eight months, from August 2018 to March 2019, ACMA’s cloud storage was being hacked, with more than 20 million patient files pillaged for valuable financial data. The news of the breach quickly spread, and investigations and lawsuits started piling up. When it became clear that there would be no easy way out of the problem, and after the company’s founder funneled $2.5 million of his own money into AMCA to keep it afloat, AMCA filed for Chapter 11 bankruptcy protection on June 17. The problem is not limited to AMCA, but also to every healthcare provider it did business with. Since HIPAA’s Security Rule places the burden on the healthcare provider to ensure that not only must the provider and its employees take all necessary steps to protect patient information, but so do its vendors and contractors, those providers may be equally guilty of AMCA’s sins in the eyes of the law. As a result, some of AMCA’s client healthcare organizations, like New Jersey-based Quest Diagnostics have been called to answer to Congress. New Jersey’s Senators Cory Booker and Bob Menendez sent an inquiry to Quest, demanding answers for the millions of residents whose medical and financial data were exposed. They also sent an inquiry to North Carolina-based LabCorp, another victim of the AMCA attack, which had previously been sued for HIPAA violations over several breach incidents. The AMCA fiasco shows how easily a Trojan horse program can exploit a single weakness and impact an entire community of businesses. How the hackers got into AMCA’s files has not been made public, but through that single breach they were able to infect the entire web of AMCA’s business partners. And each of those partners similarly failed to have adequate security to identify and prevent the breach in real time, and to alert the system administrators that they were under siege. Only through a series of failures was the hack allowed to go undiscovered for eight months. It has already cost AMCA millions of dollars, and perhaps its entire business if it cannot emerge from Chapter 11 bankruptcy. Each of its business partners will face a similar set of investigations and lawsuits, as state and federal regulators demand answers, while patients demand compensation for their lost privacy. And every frontline provider who contracted with AMCA will have to reckon with those consequences. There is a clear lesson here for wise healthcare providers and their security contractors. With severely restricted budgets for protection and extremely high costs for failure, healthcare security is an area where cost-efficiency is a top priority. A security system that is customizable to the client’s needs, scalable to the client’s business, and adaptable to the client’s workflow is as close to perfect as a solution can be. Such a system cannot be purchased “off the rack”, but should be tailored through intimate discussions with the client, the vendor, and the designer. Is it going to be sky-high expensive? Stop your guess-work and just ask one of the trusted healthcare software developers for a free quote. The most surprising finding from Black Book’s survey might be the one that starts that conversation: 93 percent of clinics have no solution in place to instantly detect and respond to an attack. They are easy targets, and they need someone who knows better to give them the information and resources they need to protect themselves.