UCLA Health breach shows data thieves increasingly focused on healthcare
In our last post on Access Granted, we featured a Q&A interview with Matthew Webb, a Senior Consultant at Ingenuity Associates, about the current threat landscape facing healthcare organizations, the reason why they’re being targeted and the steps they need to take to protect themselves. This was a very timely conversation, since the healthcare industry seems to be under attack from an increasingly sophisticated ecosystem of bad actors and data thieves.
Earlier this year, the healthcare insurance giant, Anthem, was hacked and had the personally identifiable information of as many as 80 million Americans compromised. Then, just this past month, another healthcare organization disclosed a massive breach – this time on the provider side.
In July, UCLA Health announced that an, “Attacker had accessed parts of the UCLA Health network that contain personal information, like name, address, date of birth, social security number, medical record number, Medicare or health plan ID number, and some medical information (e.g., medical condition, medications, procedures, and test results).”
UCLA Health is a healthcare system comprised of multiple different hospitals and medical groups across Los Angeles, including: the Ronald Reagan UCLA Medical Center, UCLA Medical Center – Santa Monica, Resnick Neuropsychiatric Hospital at UCLA, Mattel Children’s Hospital UCLA, and the UCLA Medical Group.
Since UCLA Health has such a large footprint and provides care to such a large community of patients, it’s estimated that more than 4.5 million patients could have had their information compromised. And, although UCLA Health claims that financial data wasn’t accessed or stolen, the information that was compromised can be equally sensitive and dangerous.
Medical data remains some of our most embarrassing information. In the wrong hands, it can be used to discredit or even blackmail individuals. Also, as more medical information and data moves online, the compromise and manipulation of medical records could become dangerous or deadly. Should a patient’s penicillin allergy miraculously be removed from their medical records, a trip to the emergency department for a simple sickness or infection could get much worse, very quickly.
The UCLA Health breach is indicative of a large trend – healthcare companies are in the crosshairs of an increasingly sophisticated set of hackers with some increasingly effective tools at their disposal. And there are numbers to back that up. The Ponemon Institute recently released the results of a study that incorporated 90 healthcare organizations and 88 of their business associates.
The findings show that data theft and security breaches across healthcare institutions is becoming increasingly common. According to the report, “More than 90 percent of healthcare organizations represented in this study had a data breach, and 40 percent had more than five data breaches over the past two years.” And those breaches were very expensive for the healthcare organizations involved. According to the report, “The average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million.”
What’s truly frightening is, UCLA Health is a very large, and very sophisticated healthcare organization, and even they didn’t take all steps necessary to protect this information. Patient data was left unencrypted, and the data breach could have been going on for upwards of ten months before being discovered. If a large healthcare organization – such as UCLA Health – can be so unprepared and fall victim to a data breach, how well prepared are other, smaller health systems and healthcare organizations?
All healthcare providers today – regardless of size – need to have a strategic plan to protect patient records and access of all PII data. They need to better manage who has access to records, how that access is achieved, and how authentication is proven to ensure that only those that need access to their patients’ records can get it.
The cost of healthcare breaches, and their increased frequency, illustrates just why it’s so important for healthcare companies to take the security of their networks and their patient data more seriously. The Ponemon Institute study shows that UCLA and Anthem are just the tip of the iceberg. Healthcare organizations – and the most sensitive information about their patients – are at risk. These organizations need to have strong authentication solutions in place to protect that data, and they need to ensure that data is encrypted both in transit and at rest to make any compromised data useless to hackers, or some very frightening outcomes could follow.
For additional insight into how some recent cyber breaches have been perpetrated against healthcare companies, watch the replay of our recent Webinar, “Anatomy of a Breach,” which analyzed the breach that impacted health insurance giant, Anthem – among others – by clicking HERE.