7 min read

U.S. Healthcare Data Breach Cost $4 Billion in 2019. 2020 Won't Be Any Better

George V. Hulme

January 13, 2020

U.S. Healthcare Data Breach Cost $4 Billion in 2019. 2020 Won't Be Any Better

New research estimates, after all the breach data, is tallied, that by the end of 2019, healthcare-related data breaches will cost the industry $4 billion, and respondents to a recent survey expect those numbers to only increase in the year ahead.

Black Book Market Research found 93% of U.S. Healthcare organizations surveyed were breached in the past handful of years. The research firm also found, not so surprising to those who have been paying attention, that more than half of those breached organizations were breached several times over those five years.

The race within the healthcare industry is going to continue to move their workloads to cloud computing, embrace medical IoT, electronic health records, consumer-driven health data services, upgrading legacy systems in too many doctor offices today, and more. And all of this is going to strain healthcare's already strained security efforts.

Healthcare delivery and AI: Machine learning uses are permeating healthcare today, in the nearly half-a-billion medical image market to disease modeling and new drug research and development. The data used to feed these algorithms will then become increasingly targeted by attackers.

AI as cybersecurity defense: We already see the use of AI within defensive security technologies, such as endpoint and network protection, to find anomalous behavior detection. That kind of screening is going to be necessary to rely upon as hospitals increasingly turn to IoT to deliver care. AI is also likely to be used in new ways, such as helping red teams with attack simulation and blue teams architect better defenses. This is essential as malicious actors are increasingly using AI to power their attacks.

CaCPA: The California Consumer Privacy Act of 2018 (CaCPA) is the first sizably notable data privacy law passed in the U.S., outside of perhaps HIPAA, which is limited to health data, goes into effect on January 1. The goal of CaCPA is to provide California residents the ability to know what information organizations are collecting about them, how or when that information is sold or shared, as well as access to their personal data. CaCPA picks up where HIPAA lets off, and it will likely be a challenge for HIPAA covered entities as they figure out where CaCPA picks up and where HIPAA leaves off.

Ransomware will continue to be a plague on healthcare: While ransomware attackers will target any business they believe that they can infect and can pay, but there has been a flurry of healthcare ransomware attacks in the past few years, as Filip Truta wrote in Spate of Ransomware Attacks on Healthcare Providers Raises Serious Health Concerns the stakes are high. "Attackers can not only encrypt vital medical data and demand ransom to unlock them, but they can also steal those patient records to use in identity theft and fraud. Patient data is one of the most expensive forms of stolen ID record on the dark web.

Hospitals also house a lot of Internet-connected equipment that cannot be secured with traditional endpoint solutions. At the same time, staff typically lacks proper training against cyber threats – as is the case across most other industries," he wrote.

"Minutes, even seconds, of delay can seriously affect the patient death rate. According to one recent study by Health Services Research, hospitals that have suffered ransomware attacks have recorded a rise in fatal heart attacks compared to units that haven't been under fire by hackers. Specifically, medical institutions hit by ransomware showed an increase of 36 deaths per 10,000 heart attacks per year. Furthermore, patients received an electrocardiogram 2.7 minutes later than the average, putting lives at risk in emergencies," he wrote.

The rise of robotic process automation in healthcare: There's a lot of repetitive "paperwork" and other repetitive and rote work in healthcare that can be automated by robotic process automation. This can include streamlining patient appointments, claims, and payment settlements, and different workflows. But the thing is many enterprises aren't governing their bots properly and could be the vector attackers choose to target. Adverse bot outcomes can be avoided if these identities are managed like human identities, and their access provisioned, monitored, and de-provisioned when they'll no longer be in service.

Increased electronic health record interoperability: The electronic health records providers use to collect, monitor, and share patient data, payment, and insurance information have always existed in too many silos. Driven by the need for improved outcomes, providers seek more data, and providers are hoping that their primary EHR provider will start supporting more data sharing and interoperability. This is essential if new technologies, machine learning, and remote care are to be indeed as effective as possible.

There is a catch, however, and that's as systems open up and become more interoperable, security risks are likely to increase. If such efforts are going to be successful over the long term, they need to be adequately secured.

And that's the challenge for the healthcare industry in the year ahead: the drive to digitally transform organizations and increase automation, data, and system interoperability, will all need to be done securely or the industry, regulators, and most importantly — patients — could lose trust and slow down progress.



George V. Hulme

George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.

View all posts

You might also like