With major data breaches running the news gauntlet every few weeks now, it's clear that cybersecurity has become a top priority for organizations from every single industry. However, health care in particular is a sector that's scrambling to secure its information infrastructure. There are a lot of reasons for this, but one of the biggest is the fact that medical records contain extremely sensitive data about patients. Aside from embarrassing health facts that can later be used to extort the victim, these documents also often contain personally identifiable information such as full names and physical addresses.
In fact, this problem has gotten so bad that HIPAA reported 477 breaches in 2017 with 5.6 Million personal records affected. Health care administrators are doing everything in their power to stop this trend in its tracks, but they're going to need top-notch cybersecurity talent in order to do so.
Data breaches are a big concern
In order to understand the full scope of this issue, it's important to take a look at how widespread hacking is in health care. This isn't a problem that's affecting thousands or hundreds of thousands of people, it's one that's seriously altering the lives of millions upon millions of patients.
What's more, it would appear that this problem is coming almost entirely from outside hackers. Sometimes, information breaches can be traced back to an employee who used their credentials to access and distribute sensitive data. However, a report from Redspin has shown that this isn't the case in health care. "Hacking incidents" were at the root of 98 percent of breaches within the medical field.
HIPAA is meant to help
Clearly, hospitals have a lot to deal with in order to keep patient information safe. This problem has been going on for so long that in 1998, the U.S. created the Health Insurance Portability and Accountability Act. Basically, HIPAA stated that hospitals and other health care facilities are the ones responsible for the security of medical records.
Although it may seem cruel to blame an institution that was the victim of an attack from an outside criminal, it's really the only way to ensure that these organizations are doing everything they can to ensure the safety of information. HIPAA's rules are extremely strict, with even harsher penalties for those who fail to uphold the integrity of patient data.
An individual or facility that allows a data breach to happen can be fined up to $50,000 per violation, according to the American Medical Association. While this rule has a yearly $1.5 million limit, that's still quite a lot of money to lose due to the actions of a malicious individual. What's more, a person doesn't even have to know they were violating HIPAA in order to be slapped with a penalty, although these are generally lower than punishments for those that knew what they were doing.
With so much money riding on a violation, it's easy to see why health care administrators are so worried about the digital integrity of their facilities. However, there is a certain kind of hacking technique that's created a bit of a grey area in terms of HIPAA compliance.
Ransomware causing huge problems for health care
Ransomware is one of the newest players on the cybercrime scene, and it's been creating a lot of headaches for hospital officials. This specific type of malware encrypts the data contained on a computer, or even an entire network, thereby keeping employees from being able to access important information. Due to the complexity of modern encryption, these facilities are basically forced to pay a ransom if they want their data back.
Hospitals need their patients' medical records in order to treat them properly, and an inability to access these documents can cause serious harm. What's more, hackers know exactly how much to ask for from these facilities. A 2015 attack on a Hollywood hospital netted the attacker $17,000 in Bitcoin, which is certainly a lot of money but pales in comparison to the lives at risk.
This isn't some small trend that's only hitting a tiny portion of hospitals, either. A survey conducted by HIMSS Analytics and Healthcare IT News found that roughly 50 percent of medical facilities within the study had dealt with ransomware within the past 12 months. It's a vicious way to make money, but it's clearly effective and hackers are beginning to notice this.
That said, the major problem right now is that ransomware isn't exactly covered under HIPAA. There are arguments to be made that ransomware violates HIPAA, but there isn't a precise provision discussing this new hacking technique. HIPAA was created in 1998, and it would have been impossible for its creators to envision this current predicament. But regardless of how this all plays out, it's clear that these organizations need help.
Health care needs more cybersecurity talent
The health care industry is in dire need of workers with extensive knowledge about cybersecurity. What's more, the sector also needs people who have an understanding of HIPAA and what is required of medical facilities in terms of data security.