According to a recent study, for the first time criminal and state sponsored hacking has surpassed human error as the main cause of healthcare data breaches. These breaches are reported to be costing the industry as much as $6 billion. There is an average organizational cost of $2.1 million for each breach, which involved incidents with an average of 2,700 either lost or stolen records.
What is Social Engineering?
While it is a worry that there are not more robust data breach controls in place, there is a level of ingenuity and creativity from hackers. Many of them are turning to social engineering to gain access to the data they want. Social engineering describes the art that is used by hackers to try to gain useful information by means of direct communication with key members of staff. This is different from the brute force method of gaining access normally associated with hacking. Targets are usually hardware or software, but these instead become second level targets, only being give a priority once information is gained through social engineering.
Social Engineering seeks to exploit employee trust, or predictable behaviour in the failure to follow the proper security checks before handing out key information to other so called colleagues. This can be from a crooked employee, or even through a spearfishing email, which is when someone uses a greater degree of familiarity in addressing you, and seeks to exploit a key piece of data that they might know about your role inside the organization they are targeting.
Ponemon Institute Survey
The Ponemon Institute’s Survey, which is one of the leading studies on the Privacy and Security of Healthcare Data said that more than 50% of the respondents in the survey said their organizations internal incident response teams were either understaffed or underfunded and roughly 1/3 of the respondents didn’t have any incident response plan in place whatsoever. A fact that seems almost fictional with the incidents around the high profile cases of data breaches being highly publicised in the media.
The results of the Ponemon Institute study reveal the need for organizations in the healthcare industry to better protect themselves and their records from social engineering attacks. 40% of the health organizations in the study admitted that they had reported more than 5 breaches in just the past 2 years.
The study reported that since 2010 the percentage of those surveyed who said their organizations had suffered multiple breaches increase from 60% to 79%. Cases of reported medical identity theft, this is where someone uses a victim’s credentials to obtain health care, as nearly doubled during the past 5 years, up from 1.4 million adult victims to more than 2.3 million in the year 2014.
Although these breaches didn’t have the size or severity of the recent scandals involving Anthem and Premera. They accounted for more than 91 million records with details such as DOB, social security numbers, and bank account numbers.
As Larry Ponemon from the Ponemon Institute pointed out in a recent interview, many of the incidents reported involved the exposure of less than 100 patient records. Plus, many of those involved in the the theft of their data reportedly had to pay on average $13,500 to restore their credit rating, and also to reimburse their health care provider for the costs of the fraudulent claims and inaccuracies, something that is already being disputed as the healthcare organizations neglected responsibility.
Of the health care companies that responded to the study, 91% reported at least one incident in the previous 2 years. Its clear that better practise have to be adopted as standard into the healthcare industry to combat social engineering and hacking attempts, as well as just plain carelessness. When respondents were asked about what worried them the most was the negligence or the carelessness of an employee, with 70% admitting their concern. 40% of the respondents thought that cyber attackers were their biggest concern. For those that responded they were worried about public cloud servers the number was 33%.
Securing Patient Data
Although social engineering and traditional hacking are approaches that healthcare organizations have to be prepared for its the basic security that is already within their grasp that can be best deployed. Smartphones and laptops are easily accessible if they don’t have a password, and in the era of mobile working it becomes easer for an attacker to get access to a healthcare organizations network. Training staff and allowing them to understand where the slightest data security breach can lead to a major data scandal is the only way to heighten the security perimeter on the front line of healthcare.