Two recent hacker attacks show that the cyber assault against organizations in the healthcare sector continues.
In early August, Banner Health announced that it was notifying about 3.7 million patients, health plan members and beneficiaries, food and beverage customers and physicians and healthcare providers of a cyber attack launched against the company in mid June.
On July 7, 2016, Banner Health discovered attackers might have gained access to computer systems that process payment card data at food and beverage outlets at some Banner Health locations. It said the attackers targeted payment card data, including cardholder names, card numbers, expiration dates and internal verification codes, as the data was routed through affected payment processing systems.
Payment cards used at food and beverage outlets at certain Banner Health locations between June 23 and July 7, 2016 might have been affected, according to the company, one of the largest non-profit healthcare systems in the US.
Banner Health immediately launched an investigation, hired a leading forensics firm, took steps to block the cyber attackers and contacted law enforcement. The investigation showed that the attack did not affect payment card payments used to pay for medical services.
But the company said the attackers might have gained access to patient information and health plan member and beneficiary information, as well as information about physicians and healthcare providers. The patient and health plan information possibly included names, birthdates, addresses, physicians’ names, dates of service, claims information, and health insurance information and social security numbers.
The company said it’s working to enhance the security of its systems to help prevent this type of attack in the future.
Around the same time as the Banner Health announcement, Central Ohio Urology Group confirmed that law enforcement was conducting an investigation after its patients’ personal information had been compromised.
In response to the cyber attack, Central Ohio also engaged two security service companies to conduct a thorough investigation. Tino Valentino, Central Ohio Urology Group CEO, said the full investigation was expected to take several weeks and the organization will not know the full scope and extent of the attack until it’s complete.
A new research report from Frost & Sullivan shows that healthcare organizations today are struggling to respond to what the firm calls an “alarming increase” in data breaches and other cyber attacks. The sector urgently needs to deploy new technologies and approaches to address security risks resulting from the recent widespread digitization of health data through electronic health records (EHRs).
Another factor contributing to the risk is a rise in the exchange of healthcare data across dispersed care settings and endpoints, Frost & Sullivan said.
New vendors are delivering products that address the healthcare cyber security market, the report said, and, while many hospital decision makers are just beginning to look into solutions, they will change their culture around IT security and become more sophisticated about what’s needed, the report said.
The Frost & Sullivan study forecasts that the total market for cyber security products deployed by US hospitals will increase at a compound annual growth rate of 14% between 2016 and 2021.
Because of the rising risk of attacks—particularly phishing and ransomware—hospitals are shifting from what has largely been a reactive and fragmented approach to security to a mindset that’s proactive, holistic and coordinated. This approach will be anchored by integrated security systems designed to protect multiple endpoints, the firm said.
In its report “The Global State of Information Security Survey 2016,”
consulting firm PwC said healthcare payers and providers are addressing rising cyber security risks by implementing technologies such as cloud-based cyber security, advanced authentication and data analytics. They are also adopting risk-based security frameworks and certification policies with critical vendors to improve their information security programs.
Most healthcare payers and providers queried by PwC said they use cloud-based cyber security services such as real-time monitoring and analytics, and identity and access management. While the initial benefits of these efforts are difficult to measure, the report said, companies in the industry report improvements in monitoring capabilities, threat intelligence and access management.
Many healthcare payers and providers are also turning to advanced authentication to improve access management, PwC said. In 2015, 60% of the firm’s respondents said they use multi-factor authentication to strengthen access control, while slightly fewer were using technologies such as hardware and software tokens.
“Increasingly, organizations also are using biometrics and smartphone tokens to strengthen authentication and enhance fraud protection, regulatory compliance and security of online transactions,” the report said.