Data breaches are occurring in the healthcare sector at an alarming rate. Ranging from cyberattacks on the IoT devices to failure to update the latest technologies, the healthcare sector has proven itself as highly vulnerable to cyberattacks as well as accidental data exposure. What remains imperative to note is that data breaches not only cost the loss of Personally Identifiable Information (PII), but also lead to more serious repercussions including identity theft and monetary losses. Given the sensitive nature of data in the healthcare sector, the ramifications can be even more serious.

The healthcare sector has always been a prime target of hackers and cyber-criminals. In 2019 alone, 382 data breaches were reported which cost over $17.76 billion, according to ForgeRock’s 2019 Consumer Breach Report. Of this, 45 percent of data breaches were accounted to the healthcare sector. Following a similar trend in 2020, the number of healthcare breaches has increased drastically amid the COVID-19 pandemic. So far, until June 2020, there have been a total of 92 data breaches reported, of which 96 percent were targeted at PII. Medical records accounted for 25 percent of the breaches during the first quarter of 2020.

Given the current situation of the coronavirus outbreak, people are leveraging their digital identity more than ever before for online activities in order to maintain their daily lives. This has created a lot more opportunities for cyber-criminals. Unauthorized access, followed by phishing emails have been the most popular breach techniques used during the first quarter of 2020. The following are a few of the many reported data breach incidents reported so far this year:

Biggest Healthcare Data Breaches of 2020

My Health E-Book

Malwarebytes’ security researchers have just recently identified a phishing campaign aiming to exploit the public concerns over the coronavirus pandemic. The email scam essentially impersonates the World Health Organization (WHO), attempting to encourage the users to download a free e-book called “My Health E-book” on their Windows supported machines. The book pretends to provide all the important information about the global COVID-19 outbreak and to offer complete guidance on protective measures for children and businesses. As soon as the user executes the file inside the MyHealth-Ebook.zip archive, a malware auto-downloads, running an information-stealing payload onto the user’s machine.

Tandem Diabetes Care

Tandem Diabetes Care, a U.S.-based medical devices manufacturer for diabetic patients, revealed in March 2020 about being exposed to a phishing attack that breached five employee email accounts in January this year. The compromised email accounts contained important customer contact information, clinical data regarding their diabetes therapy and crucial information related to the company’s products and services. There are chances of customers’ Social Security Numbers also being compromised during the attack. It is expected that over 140,000 individuals might have been affected by the data breach.

American Medical Technologies

California-based medical company delivering comprehensive senior-care programs, American Medical Technologies, also reported a data breach in May 2020. The incident revealed leakage of PII of 47,767 individuals. The exposed information included patient diagnosis information, their names and Social Security Numbers, health insurance policy information, medical record numbers and driver’s license numbers. The hacker primarily hacked into the EMR database of the company to invade the security.

Meridian Health Services Corp.

A leading healthcare provider in the U.S., Meridian Health Services Corp. notified of a data breach affecting 111,372 clients this year. According to the case filed, an unauthorized third party accessed the company’s database through phishing emails. Patient information including name, date of birth, driver’s license number, state identification number, payment card information, Social Security number, and/or limited medical information was compromised.

Beumont Health

Personal information of 114,000 patients treated at Beaumont Health was potentially compromised in a phishing email data breach, reported in April 2020. Critical information including the names, Social Security numbers, medical conditions, bank account information and other sensitive data were leaked to an unauthorized third party by accessing employee email accounts.

How to Avoid

There are numerous risk mitigation strategies that healthcare organizations can deploy to improve their data breach defenses and enhance overall security:

Adopt a Risk-Based Approach

Proactive measures are amongst the most successful layers of defense. Healthcare organizations must adopt a risk-based approach to identify potential risks to their databases, devices and other internal networks. Weak spots must be identified and considerable attention must be diverted towards shoring up the areas that are the most vulnerable to attacks.

Take Security and Compliance Officers on Board

Healthcare organizations must have an in-house team of security and compliance officers who are dedicated to protect the networks. Their objective must be to avoid any regulatory penalties due to oversight and to make the entire process of security control effective and efficient.

Monitor Constantly

Devices and records must be constantly monitored and the employees must be reminded time and again about the same. The employees must be warned of being watchful of any electronic devices or paper records left unattended. They must be continuously informed that their job is to safeguard valuable patient information. Multi-factor authentication must be deployed where possible. It must be made a rule to lock your device before leaving your position.

Encrypt Data and Hardware

Encryption is the key to avoiding data breaches. Although HIPAA does not require data to be encrypted, nor does it consider loss of encrypted data a breach, it is still the most intelligent way of safeguarding important data. It is advised that healthcare organizations encrypt valuable patient information as well as hardware devices such as servers, network endpoints, and medical devices to avoid data breaches.

Manage Identity and Access

Managing the identity of the users of patient information is particularly important, given the frequent access of such information for a multitude of reasons. A proper system must be devised that only allows access to information based on the user’s position in the hierarchy. Such measures will ensure efficiency as well as safety for all involved.

Be Proactive, not Reactive

In case a data breach occurs, proactive incident response is the most critical. However, maintaining adequate security hygiene can prevent data breaches from occurring in the very first place.

Own Up

If a data breach occurs, the best solution is to own it and report it transparently. Attempting to cover up or failing to treat impacted patients can undermine the organization’s trust in the long-run, causing long-term damage to the repute.

Healthcare organizations must take every possible measure to eliminate the risks of security breaches. It is always a lucrative activity for hackers to poke healthcare organizations for vulnerabilities since healthcare data is ten times more valuable that credit card records. Hence, healthcare companies must consistently be mindful of proactively addressing this constant threat to avoid data breaches.