What we can learn from major healthcare data breaches in 2015


There’s no doubt that 2015 was a record breaker in data breach attacks. Of all the industries and sectors affected by the attacks, healthcare was perhaps the most severely hit. Some 15 major attacks have been documented so far, and not a month goes by without reports of another healthcare organization being compromised by hackers, resulting in the theft of personal information of millions of patients, employees, and health-related service providers.

With 2015 coming to a close, we’d be wise to take a closer look at what caused the attacks, the damages made, and how we can move forward to stem the flow of attacks and heighten security next year.

Who is being targeted?

The trend of hacks against the healthcare industry started last year after Community Health Systems was hacked, resulting in data on some 4.5 million patients being stolen. Subsequently the FBI issued an alert to the healthcare industry, warning providers that hackers were likely to target them and calling on companies to scrutinize their networks for security gaps and evidence of attacks.

Since then, attacks against the healthcare industry have been on the rise. According to Ponemon Institute, some 91 percent of healthcare organizations in the U.S. have been the victim of a cyber-attack in one way or another in the past two years.

The companies hit by major data breach attacks in 2015 include some of the biggest players in the healthcare industry. The most severe case so far has been the data breach at health insurance giant Anthem, billed as the second largest in the U.S. Anthem confirmed in February having suffered a breach resulting in the theft of data on approximately 80 million current and former customers.

Other major cases include the Premera Blue Cross data breach, in which the records of 11 million people exposed, and the Excellus attack, with as many as 10 million personal records stolen.

What’s in it for the hackers?

For data thieves, healthcare providers contain a dragon’s horde worth of data. The data stolen include personal information such as names, Social Security numbers, birth dates, email and home addresses, and income data for employees. In some cases, targeted companies admitted sensitive medical history and credit card information were stolen by attackers.

Credit card numbers and credentials are perhaps the most sought-after information, for they are the quickest way to lay hands on easy cash, but there are many other ways that the attackers can put the stolen data to use.

For instance, Social Security numbers, birth dates and bank account info can come in handy in identity theft attacks, and hackers can use these bits of information to carry out other malicious activities, such as resetting email and social media account passwords.

Although not of any financial value per se, the medical information can prove to be the most sensitive and destructive of the lot, because it can be used in far more malicious ways, including blackmailing victims and leaking to the media. This kind of information falls under the Health Insurance Portability and Accountability Act (HIPAA), the federal law which sets the framework for the protection of medical data. Targeted companies may face legal charges for having failed to protect such data.

How are the attacks affecting healthcare service?

The recent advances in health technology, especially in the IoT and smart wearables sector, has created a lot of potential for the improvement of health services and patient care. Gadgets such as Apple Watch, Android Wear and Fitbit continue to gain popularity, and consumers are putting increasing pressure on healthcare IT vendors and hospitals to allow their health data from personal tracking devices to be shared in real time with their doctors.

However, the trend of cyber-attacks has caused organizations and hospitals to become reluctant to introduce new technology into their workflow and information sharing networks for fear of providing new attack vectors to malicious hackers. For this very reason, vendors that gather health information avoid sharing electronic health records (EHR) with others, thus rendering useless valuable data that can help provide a better picture of a patient’s health, reduce risks and improve overall care.

Unless these worries are addressed, the healthcare industry will not be able to leverage the opportunities that big data and smart devices are providing.

Why have the attacks been so successful?

IT security professionals have for years been setting their protective walls on the outer perimeters of their networks in order to prevent intrusion. But not much is being done to prevent hackers from causing mayhem after they find their way into the network.

Moreover, with the increasing number of connected devices and inter-connected cloud services, the inside and outside of systems are not as clearly defined as they were a few years ago.

Therefore, while in most cases targeted companies claimed to have protected customer information through encryption of data, yet after breaking into their systems, hackers easily gained administrative privileges, giving them access to all sensitive resources, including databases and decryption keys.

What needs to be done to prevent further attacks?

A change of culture needs to be adopted in order to prevent further attacks from taking place against healthcare organizations.

Nathan Wenzler, executive director of security firm Thycotic, suggests that in addition to protecting the outer shell of the system through firewalls, organizations need to implement measures to protect sensitive data closest to its source.

He also stresses that since most data security tools can be bypassed by administrative privileges, there needs to be more control on privileged credentials within a system and who has access to them. Simple measures such as limiting administrator-level users and regularly changing administrative passwords can go a long way toward improving system security and reducing intrusion damage.

James Donelan from cloud service provider MuleSoft offers another practice that can help take advantage of new technology while avoiding to cause security holes. His solution consists of developing API-based services that can allow disparate systems to interact with each other through clearly defined interfaces without breaking the underlying data or compromising security.

Jen Martinson, editor-in-chief at Secure Thoughts, emphasizes the need for uniformity and training. “Standards need to be raised across the bar,” he says, “and everyone with access to data needs to know how to fully protect it. Healthcare organizations need to be willing to invest in this continually to stand a chance of keeping their patients safe.”

Final thoughts

We are living in a world where data is rising in quantity and value, which offers new possibilities while also introducing new threats. The 2015 healthcare cyber-attacks taught us many invaluable lessons in this regard.

The tech community must work together to see to the progress of the healthcare industry in tandem with other sectors while avoiding the pitfalls and the repeat of 2015’s failures.

Do you have any suggestions or compelling ideas on how to further improve the healthcare IT security? Share with me in the comments or drop me a note.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.