The health care industry is again the top target for cyberattacks. An annual survey finds that hospitals and health systems represented one quarter of U.S. data breaches in 2018.
The report includes 750 incidents handled by BakerHostetler, a law firm with a national cybersecurity practice. The analysis covers a year without many health care breaches that attracted lots of attention, like the 2014 hack of 4.5 million patient records from Brentwood-based hospital chain Community Health Systems.
Government data from 2018 shows many breaches measured in the thousands. In Tennessee, data for 1,800 patients from Alive Hospice and 24,000 from Decatur County General Hospital were compromised by hackers. Any breach of more than 500 patients has to be reported to the U.S. Department of Health and Human Services.
"The challenge is that the value of the data, whether it's held by a large entity or a small entity, is equal to the bad guys," says Mark Johnson who leads the health care cyber security team at Nashville-based LBMC.
While large health systems are big targets, smaller physician practices and providers are especially vulnerable, Johnson says. But he also sees the uptick in health care hacking incidents as a good thing, because a few years ago, many of them may have gone unnoticed and unreported.
"I've said for years, health care has to get to the same level of maturity as other industries like financial services," Johnson says. "And unfortunately, I was right because we have seen that the bad guys have been able to monitize this data in ways we couldn't have predicted."
A single electronic health record is estimated to be worth hundreds of dollars on the black market.