Overwhelming Cyber Attacks On Healthcare

US Healthcare organisations are struggling to find ways to manage the risks of massive data breaches, which have proven hard to detect, often taking months to discover.

In 1996 the US Health Insurance Portability and Accountability Act (HIPAA) was enacted. The Accountability portion of the law requires that healthcare providers protect the privacy of patient health information and includes security measures that must be followed. Provider success has been mixed and has recently come under intense scrutiny due to the number and size of reportable breaches of health information.

There are several major contributors to this increase. The first is the passage of the American Recovery and Reinvestment Act of 2009. The ARRA included the formation of the Health Information Technology for Economic and Clinical Health Act (HITECH). It also made permanent the Office of the National Coordinator for Healthcare Information Technology (ONC) to set policy and standards and establish procedures to guide and measure the success of the implementation of electronic health records.

Creating EHR systems requires storing a large amount of confidential patient information in multiple information systems and allowing thousands of users and other systems to access those databases.

Adding to the difficulty of securing this data is the increasing number of criminal attacks and HIPAA violations because of the rising value of health information. For many criminals, credit cards had been the target of choice. However, the value of a credit card is brief, as all transactions can be stopped immediately after the bank is aware of suspicious activity.

By contrast, the value of a medical record can be worth 30 times the value of a credit card on the black market. The reason is that the health records contain enough information to create a complete identify for the purpose of opening accounts, obtaining loans, creating passports and stealing healthcare services. The most valuable records include expired patients where identify theft may not be discovered for years.

In 2016, the Ponemon Institute reported that during the last two years, 89 percent of all hospitals reported to the Office of Civil Rights at least one data breach, and 79 percent reported two or more. Many in the industry believe that almost every hospital has experienced multiple breaches.

In the battle to protect health information, many providers are simply outmanned and outgunned by the sophistication and resources of hackers. Some healthcare organisations experience thousands of attacks daily, some of which are likely to succeed in penetrating the perimeter defenses. Once inside, hackers have increased opportunity to steal user credentials that will move them up the security ladder and into the data systems that contain the most valuable information

After enough credentials are collected, it is simply a matter of slowly withdrawing information without triggering alerts. Ponemon reported in 2016 that it takes an average of 226 days to discover a breach and 69 more days to determine how it occurred and to stop the flow. It is safe to assume that after nearly ten months of access, there is little information left for the hacker to steal.

In addition to criminal hackers, hospitals must also contend with staff members using their credentials in an unauthorised manner. There are many reported instances of staff accessing records of co-workers, family or neighbors. The most publicized violations are stealing and selling celebrity health records to the media.

When a staff member is offered thousands of dollars for a single record, they may believe it’s worth the risk of being caught.

HealthDataManagement

 

« Women Suspected To Attempt Next Terror Attack
Stolen NSA Hacking Tools For Sale In Bizarre Auction »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

EIT Digital

EIT Digital

EIT Digital is a leading digital innovation and entrepreneurial education organisation driving Europe’s digital transformation. Areas of focus include digital infrastructure and cyber security.

Hypori

Hypori

Hypori is a virtual smartphone solution that makes truly secure BYOD a reality for organizations in healthcare, finance, government, and beyond.

OGiTiX

OGiTiX

OGiTiX Software AG is a German software manufacturer specializing in Identity and Access Management.

SIS Certifications (SIS CERT)

SIS Certifications (SIS CERT)

SIS Certifications is an ISO certification body serving more than 10,000 clients in over 15 countries worldwide.

ITsMine

ITsMine

ITsMine’s Beyond DLP solution is a leading Data Loss Prevention solution used by organizations to protect against internal and external threats automatically.

Aristi Labs

Aristi Labs

Aristi Labs provides comprehensive security solutions to help businesses protect data and intellectual property, minimizing downtime and maximizing productivity.

Quside

Quside

Quside, a spin-off from The Institute of Photonic Sciences in Barcelona, designs and manufactures innovative quantum technologies for a wide range of applications including cyber security.

Seadot Cybersecurity

Seadot Cybersecurity

Seadot offer cybersecurity services to organizations with a high demand for regulatory compliance and security.

NARIS

NARIS

NARIS is the leading provider of an integrated Governance, Risk and Compliance platform called NARIS GRC.

Sencode Cyber Security

Sencode Cyber Security

Sencode provides a range of IT security solutions and services, including penetration testing and cyber awareness training to help mitigate the growing risks to your corporate infrastructure.

Stryve

Stryve

Stryve is a leading carbon-neutral provider of specialist cloud and cybersecurity services in Europe.

InfoSec4TC

InfoSec4TC

InfoSec4tc is an online Information Security Courses, Training, and Consultancy provider.

Mitigo Group

Mitigo Group

Mitigo offers a well considered and effective approach to keeping businesses completely secure from any digital attacks.

Anura

Anura

The world’s most accurate ad fraud solution protects your web assets by eliminating bots, malware and human fraud, ensuring your content is seen by real people.

Mindflow

Mindflow

Mindflow is dedicated to bringing answers to the challenges the cybersecurity field and beyond face today.

Vambrace Cybersecurity

Vambrace Cybersecurity

Vambrace is an experienced cybersecurity consultancy and operations outsourcer helping you to secure your business in an increasingly-hostile cyber environment.