In the past year alone, the health industry has seen mounds of reports of security breaches and data leak in their systems that have compromised confidential patient data. However, a report has revealed that hospitals and other healthcare institutions only allocate around five percent of their Information Technology (IT) budget to cybersecurity.
A healthcare institution – hospitals, clinics, insurance companies – hold a massive amount of patient data and records including names, address, social security number, insurance information, and even credit card numbers. However, it appeared that hospitals fall behind banking and financial services which spent 7.3 percent of their IT budget, as well as, retail and wholesale services which paid 6.1 percent for cybersecurity.
This meager allocation of funds to cybersecurity is amidst the growing number of incidents and reports of data breaches in hospitals and other healthcare facilities. In fact, according to the report, 82 percent of hospitals and similar institutions have reported a “significant security incident” in the last 12 months, according to the 2019 Health Information of Management System Society cybersecurity survey.
As hospitals and other healthcare institutions keep a plethora of rich confidential information, breaching their database is nothing new at all. According to Mark Greisinger, president of NetDiligence, a cybersecurity firm, hospitals, clinics, and healthcare insurance companies have been victims of ransomware and phishing attacks for decades because they are the “holy grail of personal data.”
Of those institutions that have reported incidents on cyber attacks and data breaches, 20 percent of the victims have blamed the attack on vendors, consultants, or other parties. More than 50 percent said that the attacks were malicious. “They probably haven’t been taking this seriously until recently,” said Patrick Florer, co-founder of Risk Centric Security, which researches cyber security and cyber insurance.
Last week, an additional five more hospitals reported that they are affected by a vendor data breach. They were notified that thousands of their patients’ data might have been compromised in a ransomware attack on Health Alliance Plan and Blue Cross Blue Shield of Michigan.
In addition to HAP and BCBS, Grand Blanck, Michigan-based McLaren Healthcare, Three Rivers (Mich.) Health, North Ottawa Community Health System in Grand Maven, Michigan, Warren General Hospital, and UPMC Kane were reported to be affected by a massive breach of data. According to Darryl English, president of Wolverine Solutions Group, the estimated number of affected patients in the said data breach is estimated to be in the hundreds of thousands.
The attack to the WSG happened on Sept 23, 2018, where ransomware has locked the company out of its servers and workstations. However, an investigation reveals that the data that have been stolen were encrypted. No updates yet as to whether the encryption was bypassed to gather the said patient information or not fully.
It is, however, understandable for the hospital to allocate less on data security when their funding goes mostly to patient care and facility, especially that most of them have very limited resources. Doug Brown of Black Book Research, a market research company said that “there are so many other things healthcare systems need and people are begging you for and yelling you for. They’re not really putting the attention on cybersecurity because it’s a really boring issue.”
Just recently, the Singaporean government has announced that they were able to identify the culprits in the massive data breach against SingHealth that has become one of Singapore’s biggest information heist. A private cybersecurity firm has identified the perpetrators as the group named Whitefly and said that the SingHealth attack is just one of the grander worldwide attacks orchestrated to steal data across industries around the world.
But hospitals don’t only face online data breaches. Data leak can also happen offline especially that many hospitals are yet to have a state-of-the-art database and are still relying on manual written and printed data safekeeping. In New Zealand, thousands of patient data were leaked after a hospital employee mishandled printed documents containing confidential information leaving them to be blown by the wind.
Furthermore, data breaches also happen even when cybersecurity protocols have been streamlined, but human resources are not. Singapore also faces a data breach of its HIV registry when disgruntled Mikhy Farrera-Brochez has intentionally leaked them on his Facebook account after he was angered by his deportation. He is now facing a trial for the said data leak.
As a silver lining, hospitals and healthcare facilities have started to understand the importance of cybersecurity in light of the growing reports of an attack. The report by HIMSS cyber security survey, also said that about 38 percent of healthcare organizations had increased their cyber security spending from 2017 to 2018.