Feds Identify Cloud as 1 of Top 5 Threats to Electronic Health Data
With health care organizations increasingly falling victim to cyberattacks, a U.S. government agency has named cloud-borne security threats as one of the industry's biggest minefields.
In a report published this month, the Health Sector Cybersecurity Coordination Center, an office within the U.S. Department of Health and Human Services, cited "cloud threats" as one of the Top 5 security problems facing electronic medical records (EMRs) and electronic health records (EHRs). The other four threats are phishing attacks, ransomware and malware, encryption "blind spots" and insider threats from employees.
According to the report, EMRs encompass "the electronic entry, storage, and maintenance of digital medical data," while EHRs encompass "the patient's records from doctors and includes demographics, test results, medical history, history of present illness (HPI), and medications." Both types of data are useful to hackers because of the wealth of personally identifiable information they contain, including names, Social Security numbers, licenses and even biometric identifiers like facial photographs, fingerprints and retinal scans.
Of course, health care isn't the only industry to use such data, but it's the industry that hackers derive the most value from. According to an IBM study cited in the report, the average cost of a data breach in the health care industry was $9.23 million in 2021, up from $7.13 million in 2020. The second-most valuable industry for hackers was the financial industry, where data breaches cost $5.72 million in 2021, down slightly from $5.85 million in 2020.
Health care data breaches affected over 41 million people in 2021, according to the report. In January 2022 alone, 2 million people were affected.
To help protect individuals' private data, the report recommends health care organizations get their cloud security profiles in order. That comes down to an organization's CASB, or cloud access security broker, which covers functions like access control and monitoring, compliance management, data security and threat protection.
"More healthcare organizations are using Cloud services to improve patient care, so there is an increasing need to keep private data secure while complying with HIPAA," it stated.