A joint report published by the Identity Theft Resource Center (ITRC) and CyberScout analyses the number of data breaches that affected US organizations in 2016. The joint research team found that there were 1,093 data breaches, which exposed more than 36 million records.
Healthcare – top industry breached
The most unsecure category was medical/healthcare (defined as “any medical covered entity or business associate, as defined by HIPAA, in the healthcare industry”), which accounted for 34% of the total number of data breaches identified by the study. It also suffered the most exposed records: almost 16 million. The majority of data breaches in the healthcare sector were caused by external attacks, such as “hacking/phishing/skimming” (38.56%), which exposed almost 13 million records.
Why is medical data targeted?
The healthcare industry has always been an attractive target for cyber criminals because of the high monetary value that medical records have on the black market: medical records typically contain more, and more valuable, PII than many other types of record, including Social Security numbers, which are among the most wanted data. Other than stealing data, these attacks can also cause business disruption and paralyze entire companies, even putting patients’ lives in danger.
HIPAA and data breaches
All healthcare organizations should comply with the Health Insurance Portability and Accountability Act (HIPAA) that regulates the use and disclosure of protected health information (PHI) by covered entities. Any violation, as in case of data breach, translates into civil monetary that can be as much as $50,000 per compromised record, or up to an annual maximum of $1,5 million, as well as criminal penalties.
How to protect against external attacks
The golden rule is to a have a cohesive cybersecurity strategy that addresses technology, people, and processes:
- Technology, defined as tools and resources such as firewalls, anti-phishing and anti-malware software, plays a great role in detecting, protecting against and mitigating cyber risks.
- People have a huge role in keeping the company secure from external attacks in general, and phishing attacks in particular. Being able to detect a phishing email that has bypassed the spam filter can save the company from malware and ransomware infections, as well as the inadvertent disclosure of sensitive data. Discover how to train your staff in a cost-effective and time-saving way.
- Processes concerning information security guidelines and procedures should be clearly stated and shared throughout the company to make sure all departments are on the same page. Implementing an ISO 27001-compliant information security management system (ISMS) will allow you to preserve the confidentiality, integrity and availability of your information assets, and help you achieve compliance with HIPAA.