A total of 2,701 breaches have been reported to the Department of Health and Human Services (HHS) since 2009, with 138 breaches reported during the third quarter of 2019. Over 230,588,249 patient records have been affected by breaches since 2009 according to the same data. This is a staggering number. For perspective, if these were unique patient records, it would represent approximately 70% of the United States population. A breakdown of all reported breaches, including the reason for the breach can be seen below in Figure 1.
While theft represents a higher number of incidents, hacking is the reason for 77% of all patient record breaches reported to HHS. The data makes is very clear that Protected Health Information (PHI) is highly sought after by cyber-criminals. PHI can be monetized on the Dark Web for an average of $4 - $7 for each record. The value is greater than that of credit cards, for example, because the personal information contained in PHI does not expire, and thus can be used again and again for wrongdoing.
In my role as a Security Officer, I tell concerned executives that it is a matter of when, not if their organization will be negatively affected by cyber-events. All hope is not lost, however. There are important steps organizations can take to ensure they are prepared to respond when needed.
Conducting a risk analysis is a vital part of a robust cybersecurity program. This includes a thorough evaluation identifying all threats, controls, vulnerabilities, probability and impact. By conducting a risk analysis, organizations are better positioned to mitigate threats and prioritize their cybersecurity activities.
Ransomware is often reported as a type of Unauthorized Access, and is one of the most ubiquitous attacks. While there are countless ways organizations can design a layered approach to protecting against hacking and ransomware, ensuring their backups are air gapped is an absolute must. This will ensure that if ransomware is successful at infiltrating their environment, their backups will remain unencrypted and thus available.