The healthcare industry has become one of the top targets for cybercriminals, owing to its heavy reliance on technology and the sensitivity of patient information. This data, which includes credit card details, email addresses, social security numbers, employment records, and medical histories, can be exploited for fraudulent activities and identity theft.
However, data breaches in healthcare aren't solely the result of hacking incidents. Privacy violations can occur due to various reasons and circumstances. For instance, an organization might be unaware of its security technology or may lack accountability when it comes to safeguarding patient privacy. Alternatively, even if an organization had implemented necessary precautions, data breaches could occur if a password-protected laptop is stolen or an unencrypted thumb drive goes missing.
Security legislation in Healthcare
The Canadian healthcare industry has a number of security standards and compliance regulations that ensure patient data is protected.
One such standard is the Personal Health Information Protection Act (PHIPA), which governs the collection, use, and disclosure of personal health information in Ontario.
The right of individuals to access information controlled by government institutions is protected by the Freedom of Information and Protection of Privacy Act (FIPPA). In January 2012, the Act was expanded to include hospitals.
Another important standard is the Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy legislation for private-sector organizations in Canada. This federal privacy legislation applies to all types of personal information, including health-related data, and covers all entities.
HIPAA is the American version of PIPEDA and a federal law that governs the privacy and security of personal health information (PHI) for specific entities in the healthcare industry, such as healthcare providers, health insurers, and health exchange organizations.
What type of health data is protected?
In Canada, all data, including users, statistics, and volume, must be available to covered entities for accountability purposes in the event of privacy violations. This includes sensitive Personally Identifiable Information (PII) such as age, name, ID numbers, income, ethnic origin, blood type, medical records, opinions, evaluations, comments, social status, payment information, and other related data.
HIPAA protects any personally identifiable information related to past, present, and future health conditions, treatments, or payments that is created or received by a “health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse.” Demographic information falls within the scope of identifiable health information.
Non-compliance with privacy regulations can have serious consequences. For instance, Heidell, Pittoni, Murphy & Bach LLP (HPMB), a New York law firm, paid $200,000 to the State Attorney General to resolve HIPAA violations that breached state laws and HIPAA rules. In 2021, HPMB was hacked by LockBit ransomware gang, which compromised their network and encrypted files. The cybercriminals exfiltrated legal documents, patient lists, and medical records containing sensitive information, such as names, birthdates, medical histories, treatment details, Social Security numbers, and health insurance information. In 2022, the law firm identified the incident and paid $100,000 for the decryption keys to prevent the data's release. The Office of the New York Attorney General identified 17 HIPAA privacy provisions violated in this case.
The healthcare industry has also seen a number of large data breaches in recent years. In 2023, some of the largest healthcare data breaches included the theft of patient data from a major healthcare provider in the United States, affecting over 10 million patients. Another data breach involved the theft of patient data from a hospital in Europe, affecting over 2 million patients.
Cybercriminals continue to target the healthcare industry due to the value of patient data and the vulnerabilities present in healthcare facilities. It is important for healthcare facilities to stay vigilant and implement strong cybersecurity measures to protect patient data and ensure the smooth functioning of healthcare facilities.
Data breaches in Healthcare Industry
Based on the February HIPAA report, there was a significant increase in breached records, rising by 418.7% to 5,520,291 records, well above the monthly average of 4,472,186 breached records. 17 healthcare data breaches with 10,000 or more records were reported, all of which were hacking incidents. The largest data breach affected 3,300,638 patients of four medical groups in California, which are part of the Heritage Provider Network. This was a ransomware attack with confirmed data theft and was, at the time of reporting, the largest healthcare data breach of the year. However, that record was surpassed by a 4.4 million-record breach reported was reported this month (Independent Living Systems). ILS Identified the breach and determined unauthorized individuals had access to its network between June 30, 2022, and July 5, 2022, and exfiltrated files containing sensitive patient data, including names, contact information, Social Security numbers, Medicare/Medicaid IDs, health information, and health insurance information.
Canada has also experienced serious healthcare data breaches, with attackers copying years of patient and employee data from the provincial system in Newfoundland and Labrador in 2021.
Hospitals aren’t the only healthcare institutions hit. LifeLabs, the country's largest medical lab serving doctors, was hacked in 2019, and hackers accessed medical lab results of 15 million Canadians. The privacy commissioners of Ontario and British Columbia concluded that the company had failed to comply with provincial data health protection laws.
While we have covered some of the recent most significant data breaches in healthcare, it's essential to note that there have been countless others that have occurred. Unfortunately, data breaches in healthcare are becoming more common, and it's critical for healthcare organizations to prioritize cybersecurity measures to protect sensitive patient data. The consequences of a breach can be devastating for both the patient and the healthcare organization, leading to financial loss, damage to reputation, and loss of trust from patients.
Cybersecurity challenges in Healthcare Industry
The healthcare industry is a top target for cybercriminals for a number of reasons. First, patient data is extremely valuable on the black market. This data can be used for identity theft, insurance fraud, and other illegal activities. Second, healthcare facilities are often vulnerable to cyberattacks due to their reliance on older systems and the use of mobile devices. Finally, healthcare facilities often have a large number of employees with access to patient data, making it difficult to control access and prevent unauthorized access. We collected the main cybersecurity challenges that year to year facing healthcare sector:
Ransomware and Malware: Healthcare organizations are frequently targeted by ransomware attacks because their data is highly valuable and they are more likely to pay to restore their systems. In Q3 2022, one in every 42 healthcare organizations was affected by ransomware, making it the most commonly targeted industry.
Data Breaches: Healthcare organizations store large amounts of sensitive data, which must be accessible to patients while also being protected against unauthorized access and breaches. This balance between security and accessibility creates challenges for healthcare organizations.
Insecure Medical Devices and Equipment: The Internet of Medical Things (IoMT) has led to an increasing number of networked devices, many of which have poor security. This creates new vulnerabilities that attackers can exploit to gain access to patients' sensitive data.
Phishing: Phishing attacks, which use tactics such as stealing login credentials or deploying malware to gain access to an organization's systems, are a common threat to healthcare organizations. These attacks rely on tricking employees and can be difficult to defend against.
Insider Threats: Business threats that come from within the organization, such as careless or malicious employees, contractors, or business relations, can be just as dangerous as external actors. These insiders can be just as – if not more – dangerous than outside actors. This is because insiders have added advantages that aren’t available to outsiders, such as security access, organizational trust, and knowledge of procedures.
Lack of Awareness: Healthcare organizations must educate their employees about cybersecurity risks and help them recognize fraudulent websites and suspicious email attachments. Advanced password policies can also help to protect against weak passwords.
Overall, the healthcare sector faces a complex and evolving threat landscape that requires ongoing attention and investment to keep sensitive patient data secure.
Join us for our upcoming webinar: Сybersecurity in healthcare industry on May 16th, 2023, at 11 AM (Toronto, Canada) to learn about building a strong cybersecurity system and preventing hacking and data breaches in the healthcare industry. Registration is free, and you can access the link here.
ESKA is a cybersecurity provider that specializes in safeguarding sensitive data. We offer tailored services to companies involved in handling individual data, including healthcare organizations. We uphold the highest standards to ensure compliance with essential legislation.