Cybersecurity in Healthcare: How a Data Breach affected 1 Million Patients

2 years ago

Healthcare gets targeted by cybercriminals all over the world.

Strong cybersecurity has become a necessity for the protection of sensitive healthcare information. 

The Healthcare industry has observed a 55% rise in cybersecurity threats over a few years.

Small and independent healthcare providers are more vulnerable to hackers.

Why is Data Privacy Important in Healthcare?

As digitization is spreading rapidly, patient information has become riskier. 

Highest level of data privacy is crucial in healthcare.

Without HIPAA compliance, you’re at risk of breaching the law and your organization may face some penalties and criminal charges. Companies have been penalized hefty amounts when it concerns HIPAA violations. In recent years, the following companies had to face the consequences of HIPAA violations.

Advocate Health Care Network:

For the theft of approximately 4 million health records, the company was charged $5.5 million as penalty.

The Feinstein Institute:

For stealing the protected health information of 13,000 research participants, the company was imposed with a fine of $3.9 million.

CardioNet:

For a potential HIPAA breach due to misunderstanding the regulations, the company had to pay $2.5 million as compensation.

It is essential to maintain patients’ health information to avoid penalties. There are numerous challenges in the path of securing healthcare systems and data from cyber threats.

5 Cybersecurity Data Threats in Healthcare Industry

Cybersecurity in healthcare needs to be made strong for protecting the vital health data of patients. The data threats observed in the healthcare industry are discussed thoroughly in this blog.

1. Cloud-based Threats

It is one of the emerging challenges for the healthcare industry. Cybercriminals have started to target cloud services as healthcare organizations are shifting towards cloud storage for storing their data.

They use phishing attacks or brute-force attacks to identify loopholes in the cybersecurity of healthcare organizations. Following HIPAA regulations aid in avoiding cloud threats.

2. Vulnerability of Legacy Systems

Many healthcare organizations use legacy systems like networked medical equipment. The attackers can exploit these systems as they possess unpatched vulnerabilities. As old systems lack protection against modern viruses and malware, it gives cybercriminals the chance to attack the healthcare system.

3. SQL Injection Attacks

This type of cyberattack targets websites and web applications using SQL databases. The cybercriminals exploit the application’s code and inject malicious code into the query. It provides unauthorized access to the attacker to delete and modify sensitive healthcare data. The attacker can even execute other malicious actions on the data.

For example, a healthcare organization has a web application for patients to access their medical records. An attacker can inject SQL code in the search field and gain access to PHI by bypassing authentication.

Healthcare organizations should use different methods to validate the inputs for preventing SQL attacks and code from execution.

4. Man-in-the-middle (MitM) Attacks

This type of attack usually tries to intercept the communication between two parties with the intent to modify or steal data.

For example, if a patient is using an unsecured Wi-Fi network, an attacker can intercept the communication between the hospital organization and the patient even though the organization’s website is secured and HIPAA compliant. The attacker can trick the patient into getting more sensitive information by modifying the communication.

Secure communication protocols should be used when using a healthcare organization’s website or application to prevent such cybersecurity attacks. The authenticity of communication should also be verified with the help of digital certificates and encryption.

5. Insecure APIs

APIs (application programming interfaces) enable communication between different software systems. If the APIs are not configured properly, the attackers can exploit them to gain access to cloud-based data or systems.

1 Million Patients’ gets impacted by Zoll Medical Data Breach

Zoll medical corp., a software and medical device manufacturer has shed light on a data breach that may have compromised the records of approximately 1 million Zoll consumers and employees.

The company markets and develops medical software and technology related to advanced medical care such as ventilation, cardiac monitoring, data management, oxygen therapy, and more.

A data breach was identified on the 28th of January when the company observed unusual activities in its internal network. The company consulted third-party cybersecurity experts and informed law enforcement on 10th March about the data breach. 

In a notification letter, Zoll states that “Though our investigation is still ongoing, we’re determined that your data may have been affected by or on 2nd February 2023.” However, the company did not cut access to the impacted data on the stated date.

According to the report submitted by the company to Maine Attorney General’s Office, the exposed data includes SSN (Social Security Numbers), addresses, birth dates, and full names of the patients along with their interest in purchasing the company’s (Zoll) products.

The company mentioned they’ve not observed any misuse of the exposed information. However, it is quite common for cybercriminals to share or trade data on underground levels.

The company has offered free identity protection services to over 1 million patients who were impacted by the breach. The type of cyberattack on Zoll is still unclear.

Best Data Privacy Practice in Healthcare

Data privacy breaches and HIPAA regulations can become extremely stressful for you. Don’t worry, we’ve got your back. We’ve built website applications and software that are HIPAA-compliant.

There are a few steps that you can follow to ensure the security of your organization and patients.

  • Never leave patient health information unattended
  • Ensure data is being used by the right people with the help of admin controls
  • Enhance data security with data encryption
  • Consider the probability of law violation and make a response plan for it
  • Educate and train your employees about data privacy measures

A case study: How did we execute PIA on a healthcare project and eliminate all the privacy vulnerabilities?