Cybersecurity breaches impacted 45 million individuals in 2021; a dramatic increase of more than 10 million from 2020. As the steward of vast amounts of administrative and clinical personal health information, healthcare organizations have become the go-to target of hackers. Medical data fetches top dollar on the Dark Web.
In total, $5.6 billion is the estimated amount that data breaches cost the healthcare industry each year. Some of the common causes of data breaches include weak passwords, stolen credentials, application vulnerabilities, malware, malicious insiders, and employee negligence.
While the cybercriminals are counting your cash, the victims of these assaults suffer financially, legally, and reputationally. Worse, the pain is protracted, often taking years to recover. Legal fees, unbudgeted time consumed by internal and external investigations, negative media attention, community scrutiny, deflated organizational ego and pride, and overall institutional anxiety and stress are among a long list of negative consequences when a breach occurs.
A recent attack on Kaiser Permanente, one of the nation’s largest integrated healthcare delivery organizations, exposed sensitive medical information of approximately 69,000 patients including first and last names, medical record numbers, dates of service, and laboratory test result information. Fortunately, the leak did not include social security or credit card numbers. The Kaiser breach was discovered on April 5, 2022, and disclosed to patients two months later in June, 2022. The incident has been reported as a “Hacking/ IT Incident” and an investigation is ongoing.
Some of the common causes of a data breach include weak passwords, stolen credentials, application vulnerabilities, malware, malicious insiders, and employees. However, it is fair to ask how these breaches are occurring with such frequency and ease? Is it because the cyber criminals are that much smarter than the collective intelligence of healthcare industry administrative and IT leadership? Has the industry not invested wisely in the technology infrastructure or in the people who work with these data as a part of their employment? What else should be done to protect critical information?
As a constant target, the healthcare industry must develop a blueprint to mitigate data breaches starting with a robust infrastructure, like best practices and common-sense training, such as mandating the use of strong passwords and multifactor authentication. A comprehensive security, compliance and integrity solution needs to be in place to greatly reduce the chance of a successful attack and minimize the impact if one occurs.