Health care providers and insurers are seeing 340 per cent more security incidents and attacks than most industries, according to a report issued today.
The numbers, gleaned from a global survey last year by security provider Raytheon Websense, is another warning to the industry that the personal and financial information they hold is seen by cyber thieves as at least as important, if not more, than data held by retailers and governments.
In an interview Robert Slocum, Websense’s senior security product marketing manager, noted that a health care record on the black market is 10 times more valuable than credit card info.
Last year health providers and insurers were 200 per cent more likely to encounter phishing lures and redirects than most industries, today’s report pointed out.
Attacks on commercial companies like Target, Sony, and the U.S. and Canadian governments have been headlined. But there have also been huge breaches in U.S. medical industry this year, including insurer Anthem Inc. where account information of as many as 80 million customers was exposed.
In Canada, hospitals or regional health authorities still hold patient records despite provincially-run medicare. Unlike the U.S., where many patients aren’t covered by private insurance and have to pay up front for care, institutions here won’t have much in the way of credit card data. But they will have some private health care information. opening the door to insurance fraud.
Not all provinces make it mandatory for hospitals to report breaches so some attacks may not have received public attention.
Still, Kevvie Fowler, a partner in KPGM Canada’s risk consulting services said in an interview this week that “a lot of health care providers (in Canada) don’t see the information as desirable to attackers, in contrast to credit card or finance data. I think that leads to a false sense of security.”
“There are quite a few breaches that have been reported — some not publicly — that involve health care information,” he added.
In August KPMG issued a report that said four-fifths of executives at U.S. healthcare providers and payers surveyed believe their information technology has been compromised by cyber-attacks. That report conclude the U.S. healthcare industry is behind other American industries in protecting its infrastructure and electronic health records because of outdated clinical technology, insecure network-enabled medical devices, and an overall lack of information security management processes.
That report, though, was a U.S.-focused study. Fowler couldn’t say how the Canadian healthcare industry compares to the U.S., other than to suggest the value of personal and health information to thieves knows no boundaries.
Slocum said not only do CISOs have to deal with personal medical records, increasingly they have to deal with personal data collected by Internet-connected medical devices. Protecting data on the so-called Internet of Things is still in a fledgling stage.
In addition, there’s the threat of insiders accessing data for their own purposes. Last year, for example, staff accessed former Toronto mayor Rob Ford’s medical records at an institution at three hospitals where he was being treated for cancer. It wasn’t clear if they saw paper or computer files.
Slocum said he knows of a case in the U.S. where a surgeon uploaded copies of patient files to Dropbox to use at the adjoining medical school where he teaches. It wasn’t to gain any advantage, but it was a privacy breach nevertheless. “The doctor saw nothing wrong with what he was doing,” Slocum said — give med students up to date training.
In a lot of ways, he acknowledged, CISOs have to meet the challenges of health data protection the same way as any industry: By following best practices, staff education, understanding the flow of data and where the risks are — increasingly, for example, doctors want to access data remotely — and having a data theft prevention program.
Fowler did say that boards of Canadian health institutions are getting more involved in the awareness and management of cyber risk.
