By Andriana Moskovska / Special to Healthcare Facilities Today

Cyber attacks have become a bigger threat than ever before. Cybercriminals steal billions of dollars every year, and large scale hacks can now cost millions of dollars to industries worldwide. Everyone even marginally acquainted with cybersecurity knows what happened to Yahoo just a few years ago - millions of accounts compromised and a reputation forever tarnished.

What’s more:

It seems that no one is safe from the looming cyber threat. Education, business, energy - you name an industry, and it’s bound to have a swarm of cybercriminals looking for a weak spot. This is the reason why cybersecurity has grown so much over the last few years and why many hold it in such high regard.

But there’s one industry that has consistently failed to take proper cybersecurity measures: healthcare.

As of late, healthcare has taken the brunt of the cyber onslaught. Most of you reading this know about the Quest Diagnostics fiasco. And just a day after that took place, the news about LabCorp came to light. Both companies lost millions of dollars worth of data.

Going further back, healthcare has often made headlines for the same reason. But what is the cause of this phenomenon? Why are healthcare services targeted to this extent? And why can’t they fend off the hackers?

Here are some of the main reasons:

• The value of PHI (Personal Health Information) over PII (Personal Identifiable Information) - Something a hacker will always go after is value. Data that can be used for fraud or blackmail is his bread and butter. And PHI can be very useful. Estimates point to PHI being worth over $300 on the black market, many times more than PII. 

You might be wondering:

“Why is PHI so valued in criminal circles?” 

The main reason is that it holds much more sensitive information than PII. A person’s medical history will allow a hacker to manipulate them or those around them to a greater extent than their Social Security number. For instance, the criminal might get a hold of someone’s prescription and then resell the medicine. 

Seeing that PHI is worth so much, it’s only natural that attackers try their damnedest to compromise this kind of information. And that logically leads them to set their sights on healthcare institutions more often than on other industries.

• Declining security standards - Security for healthcare organizations has seen less and less stringent standards in recent years. In the US, HIPAA (Health Insurance Portability and Accountability Act) reduced the tolerated conformance threshold from 74 to 72% in 2018. In essence, healthcare businesses get to play fast and loose with safety regulations to a greater degree than before.

• HIPAA has very well-established guidelines for making health providers more likely to report breaches than most other sectors.

• Lack of security budgets - Strangely, healthcare firms have bumped cybersecurity down their list of priorities. Meanwhile, the number of cyber attacks specifically affecting them has gone up. So what’s the rationale behind this?

Here’s the thing:

Many organizations of this stripe claim they can’t meet the modern technological demands the cyber arms race has set. The attacks are getting bigger and badder at a rate cybersecurity can’t keep up with. In turn, many firms simply don’t bother with keeping their measures up to snuff. In their minds, there are other pressing matters that require more assets.

So is there any hope for improvement? 

Sadly, it’s not likely.

The way things are going at the moment, there is little to promise any change for the better. The current aggressive climate in the cybersecurity world makes many healthcare businesses unwilling to invest heavily in defenses that might not even work in the near future - if at all. In fact, the future might even be worse than what we’re seeing today.

Andriana Moskovska is a tech blogger and contributor at techjury.net