News Feature | March 31, 2015

Studies Blast PHI Security

Christine Kern

By Christine Kern, contributing writer

Retail Breaches

Healthcare is dead last in terms of security and that could mean costly consequences.

An Agari Research report found the healthcare industry’s security challenges are in a class of their own, and when it comes to addressing email security and threats it would be hard to do worse.  Throw in the fact that experts are warning ransomware, spam, and phishing cyber-attacks targeted at the industry are likely to escalate this year it is obvious providers need to tighten their guard when it comes to protecting patient’s health information (PHI).

Agari is not alone in forecasting hard times ahead for healthcare. Experian's 2015 Data Breach Industry Forecast called healthcare “a vulnerable and attractive target for cybercriminals.” While predicting more data breaches, it noted that many doctors' offices, clinics, and hospitals may not have adequate resources to safeguard PHI effectively.

Nearly 30 percent of the 14 healthcare companies Agari reported on received a TrustScore of zero out of a possible 100. One exception to this rule was Aetna, which earned a perfect 100 TrustScore in Q3 and in Q4, an unusual scenario in any industry.

And while the average TrustScore across all 147 companies analyzed increased from 41 to 45 in 2014, healthcare could not keep up. In fact, 93 percent of healthcare organizations were rated as vulnerable.

Scott Koller, a lawyer at BakerHostetler which focuses on data security, data breach response, and compliance issues, told iHealthBeat  2015 will see a spike in phishing and ransomware attacks. Phishing attempts use deceit to trick people into providing confidential information such as usernames and passwords or credit card numbers.

“Phishing emails often provide the entry point,” Koller said, explaining attackers are getting craftier in disguising their phishing emails. “They are much more sophisticated in terms of crafting them and targeting them to users and making them more difficult to detect.”

In fact, cyber criminals are even trying to take advantage of the Anthem hack by sending phishing emails to affected customers posing as Anthem emails with updates regarding the breach, according to  Komando.

The recent attack against Premera Blue Cross utilized some of these same tactics. According to ThreatConnect researchers found links connecting the same threat actors suspected in the Anthem breach to a possible attack against Premera using a domain called “prennera.com.”

 “Encryption very much needs to be on everybody's radar,” Koller said. Unfortunately, a September Forrester Research report found only about half of healthcare organizations secure data using full-disk encryption or file-level encryption.