Data stolen from a bank quickly becomes useless once the breach is discovered and passcodes are changed. But data from the healthcare industry, which includes both personal identities and medical histories, can live a lifetime.
Cyberattacks will cost hospitals more than $305 billion over the next five years and one in 13 patients will have their data compromised by a hack, according to industry consultancy Accenture.
And a study by the Brookings Institution predicts that one in four data breaches this year will hit the healthcare industry.
The recent study by Brookings showed that, since late 2009, the medical information of more than 155 million Americans has been exposed without their permission through about 1,500 breaches.
The Brookings research demonstrates that the healthcare sector is uniquely vulnerable to privacy breaches. For one thing, government regulations forced healthcare operations to adopt electronic health records (EHR) and other advances under the Patient Protection and Affordable Care Act (Obamacare) even if they weren't ready to adequately invest in security.
Healthcare records also contain the most valuable information available, including Social Security numbers, home addresses and patient health histories -- making them more valuable to hackers than other types of data, according to the study by the Brookings Institution's Center for Technology Innovation. Since cybercriminals can sell data for a premium on the black market, hackers have a big incentive to focus their attacks on the healthcare industry.
With the push toward more integrated care, "medical data are now being shared with many different types of entities in which many employees have access to patient records," the study said. "Extended access to medical records increases the potential for privacy breaches."
To comply with legal requirements, healthcare organizations often store detailed medical information for many years. The probability of a breach -- and the potential severity of the consequences -- increases according to the amount of data stored and the length of time it is stored.
A focus on regulatory compliance, not security
With the industry so focused on regulatory compliance as it moves to digital record-keeping, cybersecurity has largely been a secondary thought, according to Lisa Gallagher, vice president of technical solutions at the Healthcare Information and Management Systems Society (HIMSS) in Chicago.
"Enterprises with legacy systems are trying to connect to and integrate EHRs. Security is not always considered as a part of that, and patching systems is always fraught with peril. You're always a little behind with that," Gallagher said. "It's a formula for being behind."
Sign up for CIO Asia eNewsletters.