Patient Records Are the Richest Targets
Healthcare is the New Gold Mine.
Imagine you’re running a medical facility with a full day of surgeries planned back-to-back. It’s early in the morning and you’re bringing in the first patient of the day when suddenly the screens on your patient record system are locked down. Critical information like blood type, medicinal allergies, and surgical details are scrambled and incoherent. You call your IT department and they inform you that your records are being held hostage and you’ll have to pay a ransom to get back to normal.
Everything for that day is put on hold. Patients who were expecting relief from the ailments are rescheduled for another day. Your revenue stream is disrupted. Operations are upended. Patients are always your first priority, but now your hands are tied until you’ve solved your ransomware issue.
That’s a nightmare scenario that’s bad for the facilities and the patients. It’s a problem that’s not only not going away, it’s getting worse. According to a report in Security Boulevard, the US observed 145.2 million ransomware hits in Q3 of 2019, which is a 139% year-over-year increase. According to recent reports, the average breach costs an organization $3.92 million and the cybercrime syndicates responsible for these highly sophisticated attacks are growing rapidly throughout the world. They are having a devastating impact on business disrupting commerce, interfering with business operations, and holding critical health information for ransom.
So if these cybercriminals are after big money, what do smaller healthcare facilities have to worry about?
Healthcare Facilities Focus on Patients and Forget About Security
Initially, logic might suggest that if thieves were in search of money, they might go where the money is, such as a financial institution. While credit card companies and banks are obvious targets, when it comes to cybercrime, an FBI alert in November 2020, points out that hacking healthcare facilities bear greater rewards for much less effort as they are generally less prepared and have employees who are less aware of hacker tactics than financial institutions.
Why Personal Healthcare Information?
In addition to fact that healthcare facilities are less defended than financial institutions, the patient records held by healthcare facilities contain a uniquely valuable array of data including patient addresses, social security numbers, birthdates, spouses, and financial information all in one place. Unlike a credit card, this type of information can’t be cancelled. With this information, it’s easy for a cybercriminal to steal a person’s identity, create false bank accounts, even apply for loans. Worse yet, once a cybercriminal steals this information, they’re free to sell it over and over again to the highest bidders.
Value of Personal Healthcare Information
The value of patient records has skyrocketed past that of more traditional data records like social security numbers and credit card information. On top of having access to data for sale on black markets, Provider ID numbers enable cyber criminals to prescribe narcotics and other controlled substances. These prescriptions can then be filled and sold illegally. Most employees of healthcare organizations are completely unaware of the far-reaching implications which create the high value of their patient records.
Here’s how the value of a patient record breaks down on the dark web today:
- Social Security Number: $1 per record
- Credit Card Data: $110 per record
- Patient Health Record: Up To $1275 per record
A facility with merely 5000 records is worth half a million dollars to cybercriminals on the dark web. And that’s even before they make repeat sales.
Cyberattacks are constant and their impact is real. Waiting until an attack happens is not the time to focus your attention on the problem. It is essential that your facility has a plan to prevent attacks, that you have regular and effective staff training to know how to avoid malicious emails and malware, and finally, having a system to track your evidence of effort in the event an attack occurs.