How Secure Are Your Medical Records?

By Chris Flinders January 13, 2021

A recent industry report from Black Book estimates that attacks against healthcare systems are expected to triple in 2021.  The value of healthcare data has far outpaced the value of individual identity and credit data.  Medical records on the dark web bring a premium to the highest bidder and are often bundled and sold with millions of other healthcare records. 

The healthcare industry represents a high value target, not just for the medical records, but also to hold networks for ransom.  Diagnosis and treatment of patients relies heavily on immediate access to orders, test results, physician notes and integration between numerous healthcare service providers.  When a healthcare system is under attack, it has an immediate impact to the clinician’s ability to care for their patients.  The first loss of life directly connected to an attack on a healthcare system occurred on September 10, 2020 when Duesseldorf University Hospital was not able to provide services to a patient during the attack and a patient was required to be re-routed to another health system more than 18 miles away.

The Black Book report surveyed 2,464 security professionals from 705 healthcare entities, and 73% of those interviewed reported that their infrastructures are unprepared to respond to the growing number of attacks.  The report concluded that 1500 healthcare providers are vulnerable to data breaches consisting of 500 or more patient records.

Here are the key takeaways from this data:

1.      Talent shortage for cybersecurity professionals continues, and far exceeds demand by health systems.

The cybersecurity labor shortage remains an ever-growing concern, as we reviewed in November 2019, which can be explored more here.  This truth is felt even more in healthcare, where it can take 70% longer to fill a cybersecurity role when compared to hiring for other IT roles.

2.      COVID-19 has greatly increased risk of data breaches from remote work & cloud-based business operations.

Covid-19 has tested healthcare infrastructure, staff, procedures and budgets like never before.  Many departments, staff and workflows had to be modified or completely rebuilt within a short timeline and with limited budgets.  While decisions about investing resources and budget into critical PPE (Personal Protective Equipment), overtime for staff and other critical supplies, small budgets for security measures became even smaller.

3.      Cybersecurity consulting and advisory services are in high demand.

On the positive side, 69% of Healthcare systems are expected to increase security spending in 2021 to access gaps, secure networks and train healthcare staff on security best practices.  Much of this spend will utilize consulting and advisory services to gain access to experts in the field.

4.      Healthcare cybersecurity challenges find resolutions from outsourced services.

Cybersecurity as a service is helping to bridge the gap for healthcare systems in the form of managed services for system/software patching, vulnerability management, management for cloud and network services, penetration testing and incident management.

5.      Cybersecurity in healthcare provider organizations remains underfunded.

Cybersecurity spend within healthcare systems has increased an average of 21% year after year, since 2017. However, most healthcare systems still report that it is not enough to stay ahead of the constant attacks on their data rich environments.  Healthcare systems are now four times more likely to be targeted over other industries.

6.      Majority of healthcare consumers are willing to change providers if they feel their medical records are not secure.

A recent survey of 3,500 individuals resulted in 93% reporting they would leave their healthcare provider if their medical records were compromised in an attack.

The healthcare industry has a long road ahead, and partnering with consulting and managed services providers will be critical to help them keep up with the demand. Learn more about how ivision can serve as a resource in consulting or managed services, as well as our experience within the healthcare industry.