If the vast majority of the people in your office knew they would contract the flu today, it’s safe to say most chairs would remain empty. Anyone who actually came to work would avoid others, sanitize drawer handles, wash their hands, and/or wear a mask. There would be an obvious flurry of activity as people attempted to be part of the fortunate 30 percent that wouldn’t get sick. It’s doubtful anyone would sit idly and do little or nothing. Likening this flu scenario to a data breach, 70 percent of healthcare organizations report that they’re sick and the majority are not taking proven and adequate measures to stay well.
In fact, there’s no way to opt out of the risk. Data breaches are at an epidemic level with healthcare organizations experiencing the highest attack rate compared to any other industry studied according to the new Thales 2019 Data Threat Report-Healthcare Edition. Every healthcare organization in the study reported that it collects, stores and shares more sensitive data than ever before in complex, multi-cloud environments that are increasingly vulnerable. With the chance of exposure being so high, where’s the obvious flurry of activity to protect sensitive data, even as the threat landscape expands?
Cybercriminals know very well the comparative value of sensitive healthcare data and they’re determined to cash in on any and every vulnerability. They’re counting on the fact that only 38% or less of healthcare organizations encrypt data. As a result, they’re operating in a digital environment rife with opportunities to exploit.
Access to historical and real-time information is a critical component to patient care. From diagnosis to billing and everything in between, the safe and successful exchange of information between multiple parties is extremely beneficial for patients. And while your organization may be protected with encryption and authentication tools, what about the third-party lab or billing firm that will eventually possess the data you’re responsible for protecting?
The Forever Shelf-Life and Dark Web Value of Healthcare Breaches
A credit card or bank account can be closed. A password can be updated. With effort, a social security number can be changed. Certain types of fraud can be effectively shut down. Cybercriminals know that stolen account information has a very short shelf-life and must be bought and sold quickly over a short period of time on the dark web.
According to consumer credit reporting company Experian, a social security number sells for $1 on the dark web and a credit card account number sells for $5 to $100. Experian also estimates that a single, complete medical record sells for upwards of $1,000. Why the huge jump in value? Because medical records don’t change, can’t be shut down or removed. These records have a potentially endless shelf-life.
Unfortunately, healthcare organizations fail to encrypt everything even as they face this ever-expanding threat surface due to the sheer volume of personally identifiable information they process. With at least 25% citing in the report that they failed data security compliance audits in the past year, too many are ignoring basic preemptive measures and, therefore, the breaches will continue.
Inoculate with Encryption and Authentication
It’s likely that healthcare organizations will soon be held responsible for breaches that fall outside of their perceived digital perimeter ‒ a line that grows more ambiguous every day. Creating a shared responsibility environment across organizations is a first step, with the focus on encrypting everything. Data security professionals must transcend misconceptions about the complexities of encryption and authentication tools, move these controls closer to their data, and continuously advocate for security investment. By working together, the zero-trust environment these organizations need can be achieved.
For more key findings and security best practices, download a copy of the new 2019 Thales Data Threat Report – Healthcare Edition. Thales will also host a webinar on Thursday, Sept. 12 at 2:00 p.m. ET about “The State of Data Security in Healthcare.” To join, please visit the registration page.