The healthcare industry is one of the most sensitive in terms of security related to patient data. It is also one of the most attacked by cybercriminals according to various reports as we will discuss later in this article.
Just as an idea, according to IBM’s Cost of a Data Breach Report 2021, although “data breaches now cost surveyed companies 4.24 million U.S. dollars (3.9 million euros approximately) per incident on average”, in the healthcare industry that figure skyrockets to 9.23 million U.S. dollars per incident (8.5 million euros approximately).
But, unlike other sectors where cyberattacks have only financial or reputational costs for companies, in the healthcare industry, the consequences can be lethal for patients.
On 14 May 2021 Ireland’s health system (HSE) was victim of a massive ransomware cyber-attack. The impact of the attack left several hospitals across the country without access to electronic systems and had to rely on paper records. Many appointments cancelled including all outpatient and radiology services.
Donna-Marie Cullen, a 36-year-old mother of two, was one of the patients that was left without her radiation treatment for sarcoma, a rare and aggressive form of brain cancer. When the attack occurred, she was reaching the final stages of her treatment, having been diagnosed in September 2020.
She was not the only one, as in some areas the number of appointments dropped by 80% in the days following the attack. On May 28, the HSE confirmed confidential medical information for 520 patients, as well as corporate documents were published online as result of the breach. It took five months to restore 95% of the IT servers and devices affected.
A year before, on 11 September 2020, a 78-year-old woman died at Helios University Hospital in Wuppertal, Germany. She had suffered an aortic aneurism in Dusseldorf, but the ambulance that was taking her to the University Hospital Dusseldorf, was diverted to Wuppertal’s, 32 kilometers away, which delayed her treatment by an hour. She died shortly after arriving.
The ambulance was diverted due to a ransomware attack that compromised the hospital’s digital infrastructure, forcing the cancellation of hundreds of operations and other procedures. It was suggested afterwards that the old woman’s death was the first by ransomware.
These real examples show us how breaches or delays in patient authentication and attention can be fatal in the Healthcare industry.
In 2021, in the US alone, more than 50 million people saw their sensitive health data compromised according to an analysis by POLITICO of the Health and Human Services US Department data.
Verizon’s report Data Breaches by Industry 2021, also focused on the US, reveals that human error continues to beset this industry, with the most common being missdelivery (36%), whether electronic or of paper documents. It also points out that miscellaneous errors, basic web application attacks and system intrusion represented 86% of breaches.
During the period covered by Verizon’s study (2019-2020) the Healthcare sector experienced a shift from breaches caused by Internal actors (39%) to primarily External actors (61%). The main motive, says the report, was financial (91%).
Black Kite’s Third-Party Breach Report 2022 states that, despite the security improvements in the Healthcare sector, it accounted for 33% of data breaches incidents in 2021. Among the causes Black Kite cites: Lack of budget, remotely shared personal data between patients and hospital systems, and outdated software.
And The ForgeRock 2021 Breach Report (including data from US, UK, Germany, Australia, and Singapore), points that for the third year in a row, healthcare was the biggest target with the highest number of breaches, accounting for 34% of the total breaches.
In Europe, in the second half of 2021, there were 36 registered and documented cyberattacks on healthcare institutions, health insurance companies, hospitals and research centers.
As we have pointed out in other posts, traditional security systems based in knowledge authentication are proving to be inefficient against cybercrime.
Passwords can be stolen or forgotten, especially when they are rarely used, which is often the case with patients accessing their health data. Biometric authentication can help healthcare providers move towards passwordless identification enabling a more secure access to electronic health records.
A biometric pattern such as a face, or a fingerprint are inherent to a single individual. The person is her/his own ID. Thus, biometric identification works when patients lack any form of physical identification.
Biometrics help to truly authenticate a person, simplifying the processes of identification and retrieving of medical records, preventing mismatches, duplication of records or loss of information critical for the patient’s treatment.
The patient has the control over his/her information since the patients keeps it in his/her device, and as no sensitive information is sent over the internet or stored in remote servers, none can be stolen or compromised.
Last, but not least, it is a cheaper identification method in the long term, as it helps eliminate costly duplicates and prevent cyber-fraud.
Miguel is General Manager of B-FY. He has more than 21 years of professional experience in the technology field, and for the last 14 years he has been in leadership positions in software manufacturing companies, which have been in a process of rapid growth.