Over the past decade, the medical care structure has been turning to total digitalization and utilizing technology to strengthen the quality and effectiveness of medical treatment and health care delivery. Patients can contact their doctors from anywhere using their gadgets. Doctors can examine their patients and check their blood pressure and heartbeat rate in real-time. Although technology made health care services very comfortable, sensitive personal health data is revealed to cyberspace and becomes very attractive to hackers. According to Cybersecurity Ventures, ransomware strikes will rise five-fold by 2021. Also, Cybersecurity Ventures professionals indicate that the health care cybersecurity field will expand by 15% a year and will grow to $125 billion by 2025. Today, cybersecurity has become a major issue and crucial strategic advantage that every structure, particularly the health care industry, must focus on critically.
By Roman Zhidkov, CTO at DDI development
What is health data?
Before we talk about health data security and the reasons why this kind of data must be safe, we should discuss what health data actually is. Health data is every type of information about a health condition, medical treatment, personal preferences of the patient, all reports about health status, and patient’s medical history. Moreover, health data includes information about the patient’s socioeconomic status, security number, policy number, and even credit card numbers. Health data covers:
- Data generated by doctors and other medical professionals (health records, prescriptions, test results, and other details).
- Data generated by patients (illnesses monitoring, wearable devices utilizing, media medical posts reacting, and others).
Top 5 reasons to secure health data
Hacking and cyber strikes are the main matters of concern and increasing difficulties for the health care industry. Here we are going to reveal why.
1. Health data boom
The value of the technological health market is rising at an extremely rapid speed. But not just the value only, the volume of health data that is produced and collected globally is swelling incredibly. Health data is expected to grow from 153 exabytes in 2013 to 2,314 exabytes in 2020. Now you can imagine that with poor quality and outdated health care security level, this very sensitive and personal information becomes a perfect object for cybercriminals all over the world. With these files open, hackers get a patient’s name, date of birth, account numbers, details about the family, address, property tax account, or even voting report. Criminals can create a fake identity to purchase medical equipment or drugs, prescribe medicines, or get medical services, not mentioning the possibility to blackmail public figures or ordinary people. The worst part is that health data cannot be changed when the attack was detected. You cannot block it the same way as you block your credit card. When medical data is stolen the damage is irreversible.
2. Smartphone penetration and the rise of IoT
Smartphones continue to conquer the world. In 2020 global smartphone penetration has beaten the mark of 40% and reached 41.5% with the U.S., the UK, and Germany topping the list of countries in terms of smartphone users. Together with the incredibly rapid growing popularity of smartphones, very mobile and demanding users are not satisfied with having one device only. Currently, they can utilize a smartphone, tablet, wearable device, and laptop. But the rise of the Internet of Things (IoT) means that connected devices are constantly communicating with no human involvement. By the end of 2020, the amount of IoT devices in homes will grow to 12.86 billion. About 40% of IoT devices will be utilized in business and manufacturing. The health care sector is not an exception. By the end of 2020, 40% of health care IoT devices will be used for patient’s health status monitoring, health data management, video conferencing, etc. However, security statistics claim that 84% of companies that have embraced IoT have undergone some kind of security violation. It means that IoT can provide a side door entry to any network; in terms of the health care sector, health data will be at risk.
3. Costly data breaches
When attacked, industries spend millions of dollars to recover and pick up the pieces. Canadian financial services cooperative Desjardins Group spent $53 million to heal after a massive cyber breach in 2019. British Airways and Marriott International added $100 million apiece to the final cheques after their accidents.
As reported by Ponemon Institute, data breaches cost $3.86 million per breach on average in 2020. To make things worse, health care is the sector that has the maximum data breach cost of all industries. This year it is $7.1 million on average. Health care organizations top the list of the highest data breach costs for the 10th consecutive year because costs are skyrocketing for unprepared organizations. The more costly and damaging the data breaches, the more likely businesses are to shut down. That is why the health care industry is severely impacted. In addition, there is a little chance that this unfortunate tendency will decrease in the near future. With that in mind, medical organizations should work on a security plan to detect, prevent, and respond to future data breaches.
4. Health care staff’s negligence
While the world is discussing the risk of cyberattacks, a recent study proved that more than half of the data breaches in health care happened due to the negligence of hospital staff. According to the research presented by Michigan State University and Johns Hopkins University, 53% of health care breaches happened because of insiders’ negligence. The researchers reviewed 1,150 cases that influenced more than 164 million hospital patients and found that cybercriminals are responsible for less than half of them. The rest of the data leaks would never have happened if health care employees were following the strict protocols and procedures set by their respective organizations. If there are no protocols and procedures, we suggest adopting some internal policies and procedures that will reduce negligent personal data leaks. The procedures are for keeping medical records in safe storage, implementing encryption, and to utilize reliable health care mobile apps — or to create a telemedicine platform that will keep sensitive patient data safe and help monitor employees.
5. Medical records misuse
When medical records are not secured properly to protect sensitive health data, they can be misused. Here are some cases that happened a couple of years ago. A man providing financial audit services for a health care organization found out that a girl had an abortion there. And the girl happened to be his niece. So, the man told the girl’s parents about the abortion because they were religious people. Elizabeth Dove was upset to discover that confidential information about her suspected depression was shared with the local council. Although Elizabeth never gave permission to share her medical records and she never had trouble with the police, her right to privacy and confidentiality was violated. If we speak about public figures, let’s recall an unfortunate incident that happened to Britney Spears when her medical records were revealed to the whole world. As you see, medical records misuse is a serious matter and can be as damaging as hacking.
To sum up, health data security is an even more important issue to focus on than financial data security. Because pretty often it is much harder, frustrating, costly, and time-consuming to correct and restore health data. Medical records, when breached, cannot be changed or cleaned at the touch of a button – the damage is irreversible. For health care organizations, a health data breach can be financially and reputationally destructive and lead to shut down. That is why health care organizations should keep sensitive and valuable data safe and secure.
About the Author
Roman Zhidkov is a CTO at DDI development. He is a professional with an advanced degree in Cybersecurity, and 7 years of experience in building a cybersecurity strategy for all the company’s projects. He has a deep understanding of network security, compliance, and operational security.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.