Recent data breaches and cyber-attacks in the healthcare industry, including the Monday attack on MedStar Health, raises the question of why the industry is not doing more to protect its vast amount of confidential health information. Not only is it understood that healthcare organizations and hospitals lack effective cybersecurity systems, which is attracting to cybercriminals in the first place, but healthcare records are as or more valuable than information held by retailers and banks. While the nation’s top financial firms are beginning to take cybersecurity extremely seriously – JP Morgan will reportedly spend half a billion dollars on cybersecurity this year – medical records from more than 113 million patients have been stolen from healthcare facilities around the world. Obviously, the financial industry is not perfect. The 2015 JP Morgan breach provided the motivation to ramp up the company’s cybersecurity measures in the first place. But needless to say, the healthcare industry is certainly falling behind.
The reason hackers are beginning to increase their attention on the healthcare industry is simple. Financial data has a limited lifespan because it becomes worthless once the victim discovers the fraud. Healthcare information on the other hand contains names, Social Security numbers, insurance details, billing information and much more which can be sold on the black market leading to insurance fraud or identity theft. Not only does the value of healthcare information provide reason to protect it – the FBI recently said that cybercriminals can sell healthcare information for as much as $50 a record – but cyber vulnerabilities in the industry can be life threatening as well. With so many medical devices connected to the internet, one cyber-attack could threaten the lives of thousands located in just a single hospital. The healthcare industry is not the only industry that needs to ensure the protection of medical records, as a data breach in the insurance industry could result in equally devastating consequences. Data breach notifications and other forms of information sharing are a step in the right direction but nonetheless, protecting records on the front-end should be the primary focus.