Healthcare under attack: How to protect medical data from breach

Why is healthcare information so valuable?

Stolen health records contain highly sensitive personal information, which can fetch as much as $1,000 per health record on the dark web. In contrast, tax file numbers cost between $20-$50, and stolen credit card information even less (under $5). Incentives for cyber criminals to target medical databases are significantly higher than for banks or financial institutions. Because hospitals store a huge amount of patient and confidential data, these organisations face higher risks of data breaches, followed by the private health sector.

How do cyber criminals use healthcare information?

Medical data is lucrative business on the black market because it often contains more personally identifiable/sensitive information combined with financial information, as opposed to what you’d find in a financial data breach alone. This includes names, birth dates, patient numbers, policy numbers, diagnosis codes, health or genetic information, medical imaging, billing information, etc. This type of data gold mine is used by hackers for identity theft, extortion, blackmail, purchase of drugs or medical equipment for re-sale, fraudulent billing/insurance claims, and so on. Healthcare providers and the finance industry have consistently reported the most data breaches of all industry sectors since the introduction of the Notifiable Data Breaches (NDB) scheme in 2018.

What are the healthcare sector’s biggest vulnerabilities/threats?

Hacking and IT incidents are the leading culprits of data breaches in the healthcare sector. That’s because most hospitals and healthcare providers still use legacy software, proprietary data systems, and outdated IT systems which makes them more vulnerable to cyber attacks. The healthcare sector has also only just recently fully transitioned from physical patient records to electronic health records; lagging behind other industries such as the Australian banking sector. The national digital health record platform for Australia − My Health Record – only became fully operational in 2016, meanwhile, online/internet banking dates back to the 1990s. While digitalisation of healthcare is still in its infancy, the sector has failed to keep pace with the latest advancements in technology, systems, and applications, thus making it ill-equipped to detect, prevent, and mitigate ever-evolving cyber attacks. Email is the primary attack vector in the healthcare sector, although poor internal processes and malicious insider threats also pose significant risks. New cyber attacks against health care organisations are reported every week and are growing rapidly at hospitals and healthcare providers in Australia.

According to the OAIC, the main data breaches relating to health service providers in Australia include:

• Malicious or criminal attacks: Mainly phishing attacks, compromised credentials, or ransomware. 
• Human error: Personal information being sent to the wrong recipient, unauthorised/unintended disclosure of information, and loss of paperwork/data storage device. 
• System fault: Unintended access of systems or system failures.

Additionally, the outbreak of the COVID-19 pandemic ushered in a host of virtual health services that had to be developed and deployed quickly without adequate security measures embedded in their design, leaving healthcare providers exposed to new cyber threats.

How should healthcare providers protect medical data

The multi-faceted nature of cyber threats means healthcare providers and hospitals should have a layered cyber security strategy with robust detection, management, and response measures in place.

Some non-negotiable security measures healthcare providers should implement include:

• Conduct regular security risk assessments to evaluate the organisation’s IT infrastructure (i.e. hardware, systems, laptops, patient data, storage, etc.) to identify risks and remediate any vulnerabilities.
• Automatic security patching on all management systems.
• Have a robust firewall in place, coupled with antivirus and intrusion detection software to keep hackers of out your network.
• Encrypt patient data whenever possible both at rest and when in transit, using an approved symmetric encryption algorithm like Advanced Encryption Standard (AES). Regular data backups in a cloud environment are also required.
• Use control system access to regulate who accesses/uses resources in a computing environment. Scan audit logs to monitor access and management of electronic health records.
• Restrict administrative privileges of electronic health records and change passwords every 60 to 90 days.
• Two-factor authentication (2FA) or multi-factor authentication (MFA) should be required for all employees when accessing email through a website or cloud-based service and for all remote access systems by employees, contractors, and third-party service providers.

By law, medical records and health information must be kept safe and private by all medical and healthcare professionals, and all healthcare facilities, such as hospitals and clinics. Various state laws dictate how health service providers can collect and record health information, how they must store it, and when and how they use and share it. People put their utmost trust in their healthcare providers, always with the expectation that their personal information is handled with care and protected at all costs. It’s the duty of healthcare providers to ensure the privacy and security of certain health information.

What security breach reporting thresholds have been set?

Healthcare providers must notify the Australian Digital Health Agency of any potential or actual data breaches that relate to (or may relate to) the My Health Record system. These include incidents such as the unauthorised collection, use, or disclosure of health information of an individual in the My Health Record systems, as well as events, circumstances, and actions that may/have compromised, the security or integrity of the My Health Record system (whether or not involving a contravention of the My Health Records Act 2012).

Under the Privacy Act 1988, data breaches unrelated to the My Health Record system must also be reported to the OAIC, when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

A final word

While a cyber security breach in any industry can have devastating financial, operational and reputational ramifications; a cyber security breach in healthcare can result in added risks and harm to patients. The onus is therefore on healthcare providers to stay up to date with the best-practice cyber security measures for their sector. For advice or more information on cyber security risk assessments and audits, contact us via email: enquiries@xiphcyber.com.