Cloud Is Top 5 Threat to Electronic Health Data, Feds Say
A U.S. government agency has named cloud-based security threats as one of the health care industry's biggest risk factors.
In a Health Sector Cybersecurity Coordination Center, an office within the U.S. Department of Health and Human Services, report published this month, the organization said "cloud threats" is one of the Top 5 security problems facing electronic medical records (EMRs) and electronic health records (EHRs).
According to the report, EMRs encompass "the electronic entry, storage, and maintenance of digital medical data," while EHRs encompass "the patient's records from doctors and includes demographics, test results, medical history, history of present illness (HPI), and medications." Both types of data are useful to hackers because of the wealth of personally identifiable information they contain, including names, Social Security numbers, licenses and even biometric identifiers like facial photographs, fingerprints and retinal scans.
The other four threats are phishing attacks, ransomware and malware, encryption "blind spots" and insider threats from employees.
Of course, health care isn't the only industry to use such data, but it's the industry that hackers derive the most value from. According to an IBM study cited in the report, the average cost of a data breach in the health care industry was $9.23 million in 2021, up from $7.13 million in 2020. The second-most valuable industry for hackers was the financial industry, where data breaches cost $5.72 million in 2021, down slightly from $5.85 million in 2020.
Health care data breaches affected over 41 million people in 2021, according to the report. In January 2022 alone, 2 million people were affected.
To help protect individuals' private data, the report recommends health care organizations get their cloud security profiles in order. That comes down to an organization's CASB, or cloud access security broker, which covers functions like access control and monitoring, compliance management, data security and threat protection.
"More healthcare organizations are using Cloud services to improve patient care, so there is an increasing need to keep private data secure while complying with HIPAA," it stated.