And that threat is only growing, with President Joe Biden warning Monday of potential Russian cyberattacks on the United States.
Widespread unauthorized access to this data raises significant privacy and security concerns for consumers and industry – costing billions each year – and highlights some of the potential consequences as healthcare are modernized and that information circulates more transparently.
POLITICO analyzed more than six years of data reported to the HHS Civil Rights Office through Friday. Organizations covered by HIPAA – including hospitals, insurers and health care systems — must report breaches of protected health information affecting 500 or more people to the bureau, which posts such incidents publicly on what the industry calls the “wall of shame.” The attacked entities are required to inform the persons concerned.
“Unfortunately, the industry is a pretty easy choice, and they get there because they get paid,” said Mac McMillan, CEO of cybersecurity firm CynergisTek. “His [not] going to slow down until we get more serious about stopping it, or blocking it, or being more efficient. From the cybercriminals point of view, they succeed, they get paid, why would they stop? »
Healthcare information is highly coveted by hackers, who can sell the data on the dark web or use it fraudulently, including to file fake health insurance claims and for identity theft. An individual’s health details can be worth more than a credit card, said Guidehouse cybersecurity partner Cindi Bassford. And fraudulent use of this information hurts healthcare organizations’ bottom line: IBM found that each data breach cost healthcare organizations an average of $9.23 million in 2021, more than any other industry.
The industry is also particularly vulnerable to ransomware, as a potential disruption of care could threaten the lives of patients, forcing many healthcare organizations to pay ransoms.
Breaches reported to HHS are categorized by type, with hacking being by far the most prevalent. Other types of reported breaches include data theft – which could mean a stolen laptop – and unauthorized access, which could mean accidentally sending information to the wrong people.
Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society and a member of the DHS cybersecurity training panel, said hacking has become easier for cybercriminals. They are more successful because open source tools allow them to better target vulnerabilities.
And cybercriminals collaborate with each other, often selling ransomware programs to others, forming a “cottage industry,” said John Riggi, national adviser for cybersecurity and risk at the American Hospital Association.
Not all of the more than 46 million people affected in 2021 will suffer significant consequences from having their information compromised. Many won’t realize this or understand what it means, said Carter Groome, CEO of healthcare risk management consultancy First Health Advisory.
Some experts like Kirk Nahra, a privacy attorney at WilmerHale, say few people whose information is compromised are significantly affected. But others say the exposure is considerable.
“If you think there’s confidential medical information about you floating around, it’s eating away at you, because you really don’t know the impact,” said Harry Greenspun, partner and chief medical officer at Guidehouse, a consultancy firm.
Genomic information could be harmful and potentially used in extortion schemes, Greenspun said. Cybercriminals could potentially use this data to find children that a parent has never acknowledged or disclosed that a politician might be predisposed to dementia.
The total number of reported breaches is also on the rise because healthcare organizations have become more aware that they are happening, experts say.
The shift to remote working in recent years and more recently due to the Covid-19 pandemic is another reason, experts say. With remote work comes a lack of onsite IT support, Greenspun said. The need for companies to act quickly to end remote working has prompted many organizations to delay implementing security patches, he said.
Additionally, many employees use their own personal devices for work, which can make businesses more vulnerable.
“You have kids doing Zoom for school, everyone is doing all kinds of things on it,” Greenspun said. “So it’s a much less secure environment and a lot less controls. This opens the door to opportunists.
The effort to let healthcare data flow more freely is also a factor, experts say.
For years, the industry has struggled to facilitate better sharing of health information, which has historically been blocked by siled data between health organizations. The 21st Century Cures Act, signed into law by former President Barack Obama, required healthcare organizations to share more data to enable better coordination of care.
“Because data is starting to move more freely, that’s sort of the cost of doing business,” said Aaron Maguregui, senior counsel at Foley & Lardner.