It is November 2017. An employee of Florida’s Agency of Healthcare Administration checks their inbox. They open an innocent-looking email and click on a link. Little do they know, they have just been attacked.
The scenario above may not be far from the real events that led to the 2017 Florida healthcare data breach. On November 20, the agency discovered the breach and reported it to the authorities. By that time, hackers had accessed the names, Medicaid ID numbers, Social Security numbers, dates of birth, addresses, medical conditions, diagnoses, and other sensitive data of up to 30,000 Florida patients.
But that was nothing compared to the 2015 data breach at 21st Century Oncology (21CO), one of the worst healthcare cybersecurity failures in history. The breach exposed the names, medical information, and insurance data of around 2.2 million 21CO patients. The US Department of Health and Human Services fined the Florida-based healthcare provider $2.3 million, and many of the victims sued. As of 2019, the company was still facing lawsuits from the 2015 breach.
Is Florida’s healthcare industry safe from cyberattacks?
To be fair, healthcare isn’t the number one target of cybercriminals. There are more ransomware attacks aimed at professional services (such as law firms and certified public accountants), while global financial institutions receive more malware attacks compared to other industries.
Still, there’s something about healthcare that attracts attacks, and this is true not just in Florida. Globally, over 75% of the healthcare industry experienced a malware attack last year alone. By understanding why healthcare is a favorite target, we’ll be better guided on how to keep Florida’s healthcare industry safe.
There’s something about healthcare that attracts attacks
Here are some reasons why:
#1 Patient data is lucrative
The amount of data on a patient is staggering. Aside from basic information like name, address, and phone numbers, a patient’s records will include credit card details, Social Security numbers, medical history, and so on. Fraudsters will pay top dollar for such data on the dark web. Criminals may also use the information themselves for fraudulent activities like identity theft or blackmail.
#2 Security is overlooked or underestimated
In 2009, Congress required hospitals to digitize their health records. The move from paper to electronic health records presented challenges to healthcare providers and their vendors, and some may have sacrificed security to comply with the order. Others may have underestimated their security needs, or didn’t realize the importance of cybersecurity. The irony is that digital data is easier to steal — especially in bulk — compared to paper records, so it needs to be protected by robust cybersecurity measures all the more.
#3 Healthcare’s environment has a broad attack surface
An attack surface is the total number of possible points that an attacker can enter an environment. Healthcare has a broad attack surface because hospitals and clinics depend on various equipment and applications. The sheer diversity of systems within an environment makes it difficult to manage and protect all the different devices and apps, especially since healthcare data needs to be easily accessible and shareable.
#4 There's a prevalent use of legacy systems and outdated technologies
It’s common for hospitals to continue using old equipment and systems; if it ain’t broke, why fix it? Also, many healthcare providers fear that upgrading their devices and their systems will unduly disrupt their services. Unfortunately, legacy systems are vulnerable to attacks because they don’t receive upgrades and security patches anymore.
#5 Healthcare staff lack training opportunities
Healthcare employees are trained to save lives, not save files from hackers. They already have a lot on their hands when on duty. Add to that their need to always be updated with the latest innovations and discoveries in the medical field, and you have healthcare workers with little time to train on cybersecurity. “Let IT handle that,” they may say. Unfortunately, in the Internet of Things era, basic cybersecurity knowledge is a must for everyone.
#6 It’s more profitable when it’s life or death
Ransomware is a type of malware that locks up a system's files and demands payment in exchange for their release. Naturally, it’s pointless if the ransom isn't paid. But when lives are at stake, it’s more likely for healthcare organizations to give in to the demand to get their systems back up again. It’s also detrimental to a hospital’s reputation should the public find out that their patient data has been held hostage by cybercriminals, so management may prefer to quietly pay the ransom to silence the hackers.
#7 Attacks on healthcare are more disruptive
There are two kinds of attackers: thieves interested in stealing data, and malicious entities who like to create chaos. The second kind is often nation-state threat actors, or hired hackers who work for a government to target other governments. And what’s more disruptive than to target critical national infrastructures, which includes electricity, water, transportation, and healthcare?
The reasons stated above may explain why Florida-based healthcare organizations were hit by more than 1,400 data breaches in the last 10 years. In 71% of these breaches, hackers accessed sensitive personal data. It’s clear that the Florida healthcare industry can still improve its cybersecurity track record.
Are you a healthcare provider based in or around the Tampa, Sarasota, and Orlando areas? Do you want to ensure your organization is protected from hackers? Then partner with us at HERO Managed Services, LLC. Our IT experts will protect your network and vital information against cyberattacks. Plus, we’ll make sure you’re compliant with HIPAA and all relevant regulations. Contact us today for a FREE IT consultation.