Cybercriminals attacked the healthcare industry at a higher rate than any other sector in 2015, and more than 100 million healthcare records were compromised last year, according to a new report published by IBM.
In fact, 2015 was “the year of the healthcare breach,” IBM said in its 2016 Cyber Security Intelligence Index.
The rate of attacks against the healthcare sector climbed to the highest level of all industries studied in 2015, after not making the top five in 2014, as healthcare leaped ahead of the manufacturing, financial services, government and transportation industries.
Data breaches in the healthcare sector are also getting larger – with five of the eight largest health data breaches reported since 2010 (those with more than 1 million records compromised) occurring in the first six months of 2015, IBM’s report said.
And the cost of data breaches is going up, particularly in healthcare, according IBM’s 2015 Cost of a Data Breach study.
While the average cost of a data breach across all industries was $3.8 million in 2014 – up 23% from 2013 – the the cost per record in the healthcare sector was $363 per record breached, more than twice the overall average of $154 per record.
IBM says the cost of a data breach is going up overall because 47% of breaches in 2014 were caused by malicious attacks, which are more costly to remediate, compared to 42% the year before.
If 2015 was a record year for attacks on the healthcare industry, 2016 hasn’t proved to be any better.
In February, the Hollywood Presbyterian Medical Center in California was hit by ransomware, which forced the hospital to shut down all of its computers and depended on fax machines and paper records for a week.
Rather than lose all its patient medical records, the hospital decided to bite the bullet and paid the ransomware crooks 40 bitcoins, or about $17,000, to restore the hijacked files.
Although ransomware cybercrooks tend only to be interested in data for the ransom value, healthcare data is becoming more lucrative for cyberthieves who sell the data on the black market.
As IBM explained, health records contain a wealth of information that can be used for medical identity theft and fraud:
[Health records] typically contain credit card data, email addresses, social security numbers, employment information and medical history records – much of which will remain valid for years, if not decades. Cyberthieves are using that data to launch spear-phishing attacks, commit fraud and steal medical identities.
The healthcare sector is also an appealing target for cybercriminals because the industry’s approach to cybersecurity is behind the times.
Earlier this year, Sophos conducted a survey of IT decision makers across multiple industries in six countries, finding an alarming laxity in many organizations’ approach to data security.
Our survey found that the healthcare sector had one of the lowest rates of data encryption, with only 31% of healthcare organizations reporting extensive use of encryption, while 20% said they don’t use encryption at all.
Other studies have shown that the healthcare industry lacks a culture of security.
A Sophos survey of National Health Service (NHS) organizations in the UK found that encryption was “well established” in just 10% of them; while a 2016 study of hospital cybersecurity found that patient health records are “extremely vulnerable” because of a lack of focus on cyberattacks and insufficient training.
And it’s not just hospitals, doctors’ offices, and insurance companies that are failing to protect healthcare data – private employers frequently leave their employees’ private healthcare information unencrypted.