Feeling stuck with Segment? Say 👋 to RudderStack.
Machine learning model training
What is Behavioral Analytics?
What is Diagnostic Analytics?
The Difference Between Data Analytics and Statistics
Data Analytics vs. Business Analytics
What is Data Analytics?
The Difference Between Data Analytics and Data Visualization
Data Analytics vs. Data Science
Quantitative vs. Qualitative Data
Data Analytics Processes
Data Analytics vs. Data Analysis
Data Analytics Lifecycle
Data Analytics vs Business Intelligence
What is Descriptive Analytics?
What Is Google Analytics 4 and Why Should You Migrate?
Google Analytics 4 and eCommerce Tracking
GA4 Migration Guide
Understanding Data Streams in Google Analytics 4
GA4 vs. Universal Analytics
Understanding Google Analytics 4 Organization Hierarchy
Benefits and Limitations of Google Analytics 4 (GA4)
What are the New Features of Google Analytics 4 (GA4)?
What Is Customer Data?
Collecting Customer Data
Types of Customer Data
The Importance of First-Party Customer Data After iOS Updates
CDP vs DMP: What's the difference?
What is an Identity Graph?
Customer Data Analytics
Customer Data Management
A complete guide to first-party customer data
Customer Data Protection
What is Data Hygiene?
Difference Between Big Data and Data Warehouses
Data Warehouses versus Data Lakes
A top-level guide to data lakes
Data Warehouses versus Data Marts
Best Practices for Accessing Your Data Warehouse
What are the Benefits of a Data Warehouse?
Data Warehouse Architecture
What Is a Data Warehouse?
How to Move Data in Data Warehouses
Data Warehouse Best Practices — preparing your data for peak performance
What is a Data Warehouse Layer?
Key Concepts of a Data Warehouse
Data Warehouses versus Databases: What’s the Difference?
Redshift vs Snowflake vs BigQuery: Choosing a Warehouse
How to Create and Use Business Intelligence with a Data Warehouse
How do Data Warehouses Enhance Data Mining?
Data Security Strategies
How To Handle Your Company’s Sensitive Data
What is a Data Privacy Policy?
How to Manage Data Retention
Data Access Control
Data Security Technologies
What is Persistent Data?
Data Sharing and Third Parties
Cybersecurity Frameworks
What is Consent Management?
What is a Data Protection Officer (DPO)?
What is PII Masking and How Can You Use It?
Data Protection Security Controls
What is Data Integrity?
Data Security Best Practices For Companies
Subscribe
We'll send you updates from the blog and monthly release notes.
Healthcare industry continues to be top target for cybercriminals
In today's digital world, criminal activity is a constant threat. Cybercriminals only need to gather a few minor details to hack email or company accounts. If successful, they can use this information to break into bank accounts, impersonate employees, and sell both commercial and personal data.
There are ways to protect a company’s digital presence, but hackers evolve new ways to break through these measures. While hacking personal platforms is common, cyber criminals reap greater rewards by targeting large organizations with high financial value or ones that store masses of personal data. For the latter, there is one industry that hackers target the most often — healthcare.
Why is healthcare a major target for cybercriminals?
Historically, the healthcare industry has faced some of the most severe cyber-attacks. Because they handle vast amounts of sensitive patient data, they're a top target.
Hackers often gain sensitive information by hacking into electronic medical record (EMR) systems, which store patient information and make up 8% of all hacking breaches. The problem lies in how multiple healthcare facilities use the same EMR vendors. If someone can successfully hack one system, they're not just obtaining one facility's records, but several.
The healthcare industry is a thinly-stretched, around-the-clock sector requiring an army of professionals to keep it running. With so much time and resources dedicated to patient care and a reluctance to disturb daily working practices, updating software and technologies is often pushed down the priority list. Of course, this leaves the healthcare industry trailing behind security trends, making it an easier target.
The number of breaches shot up at the start of the pandemic when the healthcare industry shifted its focus elsewhere. Breach cases reached a record high of 393 in the second half of 2020. While that figure fell to 324 breaches in the first half of 2022, the number is still much higher than before the COVID-19 pandemic. Things might be looking better than they were two years ago, but it’s still essential for healthcare to implement more robust security defenses.
The biggest medical breaches
There have been many medical data breaches over the years, with the most significant falling to Anthem Inc. Now recognized as Elevance Health, a major phishing attack hit the health insurance provider in 2015. During the intrusion, hackers obtained a range of customer details, including:
- Names
- Dates of birth
- Home addresses
- Social security numbers
- Employment information
- Income
- Personal email addresses
- Anthem health ID numbers
The data breach affected 78.8 million people, and the financial impact of the cyber attack on Anthem was disastrous:
- $2.5 million in consultation costs
- $115 million for improved security
- $31 million to notify the public and those affected
- $112 million credit protection for affected individuals
Anthem incurred a total financial loss of $260 million, more than any other US healthcare company.
Who are the primary victims of healthcare-based cyber attacks?
Interestingly, the pattern of cyber attacks in healthcare has seen a shift. Instead of putting hacking efforts into large healthcare facilities, criminals are looking to smaller organizations with the assumption of weaker defenses.
The Eye Care Leaders specialize in providing ophthalmology-specific EMR systems to more than 9,000 physicians across the country. The company experienced a mega-breach in December 2021, which exposed more than 2 million records. Shields Health Care Group, an imaging provider, faced similar numbers in March 2022. While it is understood the breach was handled quickly and efficiently, the impact could have affected 56 facilities.
When discussing who the primary cyber attack healthcare victims are, it’s helpful to consider the three main categories within the industry:
- Healthcare providers
- Healthcare plans
- Business associates
Out of the three entities, healthcare providers make up the most significant number of breaches year-on-year. Healthcare plans have historically followed closely behind but were surpassed in early 2022 by business associates, which includes EMR providers. With the number of breaches faced by business associates rising from 10.3% in 2019 to 14.5% in 2022, they are now the second-most breached entity.
However, it’s not just down to the number of breaches each entity faces, but the individuals affected per case. Healthcare providers experience more cyber security breaches, affecting an estimated 59,000 records every time. Business associates don’t experience as many breaches, but each breach affects 97,000 records. Ultimately, while smaller healthcare facilities are the primary target for cyber attacks in healthcare, many individuals whose details are breached are viewed as the primary victims.
Which state faces the most cyber attacks?
According to the most recently published FBI Internet Crime Report, the US faced an uncommonly high increase in criminal cyber activity in 2021. The Internet Crime Complain Center (IC3) received 847,376 complaints of cyber-related criminal activity — a total financial loss of $6.9 billion. Over 51,000 of those complaints were related to personal data breaches.
Interestingly, some US states face more attacks year-on-year than others. However, although a state has a higher number of personal victims, that doesn't always equate to overall financial loss.
In 2021, California had more victims than any other state, ending with 67,095 complaints. That number is significantly higher than other states, so it makes sense for the financial loss to be as such ($1.2 billion).
Florida came in second place for the total number of 2021 victims. However, while Texas and New York had fewer victims, they surpassed Florida in terms of the total financial loss per state.
| State | Total victims (2021) | Financial loss (2021) |
|---|---|---|
| California | 67,095 | $1,227,989,139 |
| Florida | 45,855 | $528,573,929 |
| Texas | 41,148 | $606,179,646 |
| New York | 29,065 | $559,965,598 |
| Illinois | 17,999 | $184,860,704 |
| Nevada | 17,706 | $83,712,410 |
| Ohio | 17,510 | $133,666,156 |
| Pennysylvania | 17,262 | $206,982,032 |
| Washington | 13,903 | $157,454,331 |
| New Jersey | 12,817 | $203,510,341 |
How to prevent cyber attacks in healthcare
All entities within the healthcare industry must consistently keep up with and implement measures to prevent a medical data breach.
As well as having a responsibility to provide physical patient care, the healthcare industry is legally required to protect its patient and organizational data from potential cyber-attacks under the US Health Insurance Portability and Accountability Act (HIPAA). This act is regulated by the Department of Health and Human Services (HHS) and applies to any facility that handles protected health information (PHI).
HIPAA guidelines for healthcare professionals require every facility to implement effective and up-to-date technologies that can effectively secure patient data and avoid an attempted medical breach.
RudderStack is a customer data platform with a focus on privacy and security to provide clients with robust data pipelines to collect and leverage their data with complete control.
The business earned HIPAA-compliant status in 2022 and is recognized for using advanced technologies to protect data from criminal activity. Since becoming HIPAA compliant, RudderStack has helped healthcare companies like Accrux protect their patient data with modern and effective customer data security tools.