Healthcare is one of the most heavily regulated industries, which amplifies every little wart and blemish. Laws such as HIPPA and HITECH in the U.S. require companies to report every ransomware incident as a data breach, even if no data was confirmed stolen, according to Gabriel Bassett, co-author of Verizon’s 2019 Data Breach Investigations Report.
This makes healthcare look particularly sick when it comes to breaches, with 466 cyber incidents and 304 breaches in 2018, according to the report. That made it one of the top industries for confirmed breaches, alongside the public sector and finance.
Healthcare also is among the top three industries reporting financially-motivated social engineering attacks in 2018, where someone tried to manipulate an employee or executive into giving up credentials, passwords or other sensitive information. The other top industries for similar attacks were professional services and finance, according to Verizon.
Healthcare is a money-maker for a criminal because patient records contain sensitive information, such as Social Security numbers, that can be used in identity theft and to file fraudulent insurance claims, says Bassett.
That’s why criminals targeted companies such as the American Medical Collection Agency. That breach earlier this year exposed the data of AMCA’s clients, including 7.7 million customers of Laboratory Corporation of America Holdings, or LabCorp, and 12 million customers of Quest Diagnostics, according to the publication Wired. AMCA filed for Chapter 11 bankruptcy as a result. Criminals have also attacked hospitals with ransomware, which is malicious software that is used to deny access to a computer or files unless a ransom is paid.
Healthcare also stood out in terms of the number of incidents caused by internal actors. Many of those were instances where employees accidentally disclosed protected patient information, such as sending test results to the wrong party. Still, other employees improperly accessed patient data, such as looking at the health problems of celebrities.
As a preventive measure, the Verizon report recommends corporate security officers learn where their companies’ major data stores are, limit access to necessary searches and keep track of all access attempts. It also suggests learning which of your processes deliver, publish or dispose of personal or medical information, and ensure there are built-in checks so that mistakes don’t end up releasing data to the wrong party.