New Attacks, Regulations, and Stakes Call for New Security Strategies

 Tim Callan, Senior Fellow, Sectigo The amount of data generated by the healthcare industry is staggering—and constantly increasing.  Healthcare data encompasses the personal information of patients, doctors, nurses, and administrators. It includes diagnostic information, test results, ultrasound images, x-ray images, and of course insurance and financial information. With so much sensitive patient information there for the taking, it comes as little surprise that the healthcare industry—perhaps more than any other sector—has become a primary target for cyberattacks. Now, more than ever, it is critical that healthcare organizations take decisive action to protect their data. 

There has been no shortage of major (and notably costly) data breaches in recent years. The Equifax breach, for example, affected nearly half of all Americans. Last year’s Facebook breach was also headline news, thanks in large part to the number of users affected. Then there was a lesser-known yet costly LifeLabs breach—the largest in Canadian history—affecting more than 15 million people and prompting a lawsuit seeking north of $1 billion in damages for failure to adequately protect data. 

Healthcare data heists yield a premium, making them particularly attractive to hackers. The Center for Internet Security (CIS) notes that the “average cost of a data breach incurred by a non-healthcare related agency, per stolen record, is $158,” compared with $355 for healthcare records.

Though large, the LifeLabs incident isn’t even close to the largest healthcare data breach in history. That dubious honor goes to Anthem, which suffered a breach in 2015 that resulted in nearly 80 million compromised records. Although Anthem was able to reach a settlement with the victims for the relatively paltry sum of $115 million, both the standards for data protection and the expected remediation for failure have changed considerably in the five years since the attack. 

Regulations Raise the Stakes for Security

As the regulatory environment surrounding data breaches of all types grows more strict, hospitals and insurers have found themselves in the crosshairs of an increasingly brazen and sophisticated set of attackers. Part of the reason for this targeting stems from the relative value of healthcare records. There is a reason why “HIPAA” is an acronym known to most Americans, while other data protection laws are not.

Personal Health Information (PHI) tends to be more valuable than standard Personally Identifiable Information (PII) in large part due to its static nature. Patients can change a compromised credit card number or social security number, but not their medical history—and scammers prepared to exploit that history may render victims more vulnerable to certain types of fraud. 

New regulations are further raising the stakes for compliance. Although the California Consumer Privacy Act (CCPA) is...