What makes PHI so attractive to hackers?
It’s no secret that healthcare data is attractive to hackers. Hacking and IT-related incidents make up the majority of compromised PHI, but why exactly has the healthcare sector become such a popular target?
Long term benefits
PHI is thought to be approximately 10 times more valuable to cyber criminals than credit card data due to its longer shelf life; while credit cards are often cancelled, rendering them useless, PHI can be used in a multitude of ways, and breaches typically take longer to detect.
Multiple ways to use data
Whereas stolen financial information must be used quickly to be effective, stolen PHI, which often contains personal information including name, address, date of birth, Social Security Number and past medical claims information can be utilised to commit fraud, for access to medical care in the victim’s name, and even blackmail.
For victims of a PHI breach, the fallout is far worse than a breach of credit card information. Because breaches take months, and sometimes years before they are detected, identity theft, particularly when committed over a long period, can damage a victim’s credit rating, and unlike credit cards, where laws exist to limit an individual’s liability, there is little by way of recourse for individuals that have had their PHI compromised.
Despite the potential for huge fines, healthcare organizations are often still considered to be an easy target for hackers. Inadequate vigilance in ensuring third party providers are securely managing PHI has been cited as a huge concern amongst healthcare IT professionals, although a number of major breaches, including Anthem and Primera, which are both believed to have occurred as a result of direct phishing attacks on the organizations.
What can healthcare organizations do to prevent hackers from accessing PHI?
In accordance with the HIPAA rules, covered entities and their business associates must adhere to technical, administrative and physical safeguards to ensure PHI is kept safe.
While there is no guaranteed way to completely prevent an organization from becoming a target for cyber criminals, there are a number of measures that can be put in place to lessen the risk of a breach occurring.
- Regular employee training and awareness programs to ensure that staff are aware of tactics deployed by cyber criminals (such as domain spoofing, Malware, and phishing scams.)
- Investing in data loss prevention controls and activities such as encryption and endpoint security solutions.
- Ensuring that staff are using strong passwords, and multi-factor authentication methods are in place when accessing PHI.
- Policies are in place for BYOD to prevent employees from accessing PHI via non-secure methods.
- Storing and transmitting PHI via a method that meets HIPAA compliance – if this is managed by a third party provider, a business associate agreement (BAA) must be signed.
Scrypt is dedicated to transforming productivity in healthcare so caregivers can spend less time worrying about security, and more time helping patients. For more information on reducing the risk of data breaches within your organization, speak to us today to find out how we can help you work better, with confidence.