The healthcare industry is facing an onslaught of cyberattacks costing billions of dollars – $5.6 billion to be exact – each year. 2015 was named the year of the healthcare data breach by IBM, and this year is shaping up to be no different. According to the Identity Theft Resource Center, the healthcare sector fell victim to more than 30 percent of all reported data breaches so far this year, exposing 4.5 million records.
Don’t want to be the next victim? These are the five trends you need to stay ahead of today:
- Patient information on the black market: Hackers sell patient information containing social security numbers for as much as $50 per record. When compared to stolen credit card numbers, with a value of $1 per record on the black market, it’s clear to see why hackers are placing more of their efforts on obtaining social security numbers. Protected health information (PHI) dominates the healthcare industries at 52 percent of all sensitive documents stolen, so it’s important to ensure these records in particular are protected.
- Medicare and private insurer scams are on the rise: Hackers not only sell sensitive data, it also uses the data to fraudulently bill health insurers. They can steal patients’ identities for free consultations or to get their hands on prescriptions they ultimately sell. This comes at a high cost to healthcare organizations. The average cost of a data breach is $201/record according to the Ponemon Institute. However, within the healthcare industry this cost rises to $359/record – 80% higher than the average.
- Encryption, encryption, encryption: The Healthcare Insurance Portability and Accountability Act (HIPAA) may not mandate encryption of records yet, but you absolutely should do so anyway. Encryption encodes data so that only those you authorize can decrypt the information and use it. This means that even if your data was stolen, it would be unusable to the thieves. However, it is essential encryption keys are physically held and managed by your IT team and not the cloud provider itself. When you lose ownership of encryption keys, you open yourself up to additional risks of data loss.
- Skepticism and fear are running rampant: Many healthcare leaders are wary of trying new security and storage options. The sheer thought of losing control of this regulated, sensitive data is anathema to them – so much so that some are even considering creating clean rooms with overseas application management services providers so they do not fall behind.
- Cloud or on-premises? You decide: As threats become more advanced every day and security systems need to evolve, healthcare organizations are seriously considering whether or not to upgrade to a secure cloud solution rather than spending the time and resources to update on-premises based IT infrastructure.
Let’s spend more time on cloud solutions for healthcare, because the data shows many companies in this industry are finally warming up to it: According to the 2015 Global Technology Adoption Index, adoption of cloud technology increased from 25 percent in 2014 to 41 percent last year in healthcare alone. The cloud computing market in healthcare is set to grow at a 20.5 percent compound annual growth rate to reach $9.48 billion by 2020. The average healthcare organization uses 928 cloud services, while the average healthcare employee uses 28 cloud services during the course of a day.
What’s the problem? Most of these services are woefully insecure. According to a review by a third-party security vendor, only 7 percent of those services actually meet enterprise security and compliance requirements.
Don’t depend on HIPAA to take care of all of these problems. For starters, the most recent HIPAA rulemaking went into effect March 2013 – three years is an eternity in today’s disruptive technology environment. Additionally, nothing in the HIPAA rules governing cloud services stated data had to be encrypted. Essentially, HIPAA is putting the onus of security on the provider, not the cloud service. The U.S. Department of Human Services recently issued new guidance on ransomware, providing better education, and backing up data – but there is still nothing specific about securing cloud technologies.
As you are looking to incorporate cloud computing into your IT strategy, here are three standards any provider should meet:
- Have client-side encryption of data, which protects files on the local hard drive as well as in the cloud.
- Offer multi-factor authentication to add an extra layer of access for all users.
- Provide data loss prevention tools to protect stored data or allow the healthcare organization to extend its DLP protocols to the cloud.
You don’t have to go it alone: US Cyber Vault has the expert team and technology to ensure you can strike the balance between information security and saving lives.
Learn more about how our flagship secure cloud solution protects your assets with hardened security implemented at every layer, from hardware to application. Military-grade encryption is applied to all your data and communications by default and the speed of our threat detection is unparalleled: less than 24 hours not the industry standard of 7 months. If an unplanned event should occur, countermeasures trap the attacker and mitigate damage while our cyber intelligence team responds immediately.
Written by Rob LaMear, CEO, US Cyber Vault
Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community. Receive our next issue by signing up here.