Interestingly, though not surprisingly, the data shows that unlike most other industries, healthcare organizations fall victim primarily to human error, where an individual either loses information or sends it to an incorrect person or company. This is an artifact of the healthcare industry being a late adopter of digital technology (Thanks Meaningful Use!) and Data Literacy remains an area of opportunity for all roles within a health system. Think about the last time you saw a fax machine – I bet it was in a healthcare setting.
Notice the orange bars indicating
"Error" as the primary cause
The other factor is that healthcare data is so hyper-personal that it is inherently more interesting to individuals and more valuable to hackers. Social engineering - a non-technical strategy that cyber attackers use to gather information relies heavily on human interaction and often involves tricking people into breaking standard security practices – remains a heavily used tool within healthcare. Phishing, baiting, and pretexting are examples at play here. Yes – ransomware is targeting healthcare organizations, but the vast majority of breaches of PHI are from your own people. Generally, people are afraid of their social security number (SSN) getting into the hands of an attacker and our identity being stolen. The financial risk is certainly there. What about the following data elements that are found within EHR software with healthcare organizations? Consider the value of these:
Names, addresses, SSNs, locations, diagnoses, care team members, clinical notes, medical supplies, procedures performed, medications, family members, and more.
That is a lot of highly sensitive and personal information that in the wrong hands can be significantly more damaging. Add in we are on the verge of genomic and epigenomic data being captured and stored, and you have the most personal data available and susceptible to attack.
Chubb highlights these four key areas for healthcare cyber threats:
- Healthcare accounts for 38% of all Chubb cyber
claims during the last ten years.
- A newly evolving risk is cyber-as-a-peril. This
is when devices connected to the internet—such as pacemakers—are hacked,
resulting in physical consequences for patients.
- Since 2016, the healthcare industry accounted
for a third of the ransomware incidents handled by Chubb.
- A person's PHI (Protected Health Information) is
worth up to ten times more than credit cards on the black market.
What can you do to learn more and increase your acumen on cyber threats? Explore the interactive Chubb Cyber Index and pick up some good techniques to keep you and your organization safe.
“Chubb is the world’s largest publicly traded P&C insurance company and the largest commercial insurer in the U.S. With operations in 54 countries and territories, Chubb provides commercial and personal property and casualty insurance, personal accident and supplemental health insurance, reinsurance and life insurance to a diverse group of clients.”
“The Chubb Cyber IndexSM provides you real time access to our proprietary data, giving you insight into current cyber threats and how you can protect your company against them.”
“Chubb has handled cyber claims for nearly two decades. As part of the claims process, we track key metrics such as actions causing a cyber loss, whether a cyber incident was caused by an internal or external actor, the number of impacted records, and more. We analyze these metrics along with public trend data to help us continuously improve our business, provide insight to our partners and policyholders, and help reduce exposures to future losses.”