Health Hackers Are Exploiting Deceased Patient Data, Here’s How We Stop Them

Another month, another health hack. In what is now uncomfortably common in the sector, PharMerica disclosed it was the victim of a data breach in May. The information of almost six million people – including social security numbers, names, and addresses – was stolen and published.

The hack is the largest this year in healthcare. Even worse, the hackers stole the information of deceased patients, and now family executors are advised to ensure that fraudulent credit lines have not opened in the aftermath.

Concerningly, this breach most hurts those the sector is sworn to serve – patients. It’s past time for operators and providers to tighten healthcare endpoints, secure networks, and protect their private information. Let’s explore how.

The Cybersecurity State Of Play

This is the latest in a long line of healthcare attacks. Last year, healthcare organizations worldwide averaged more than 1,400 cyberattacks per week, about 75% higher compared with 2021. And the hacks are evermore costly. The average health breach costs about $10M per incident – more than double the average for industries like pharma, technology, and energy.

Interestingly, hackers aren’t just going for small players with fewer cybersecurity resources. PharMerica is one of the largest providers of pharmacy services in the United States, operating more than 2,500 facilities and 3,100 pharmacy and healthcare programs. And yet, they too cannot keep bad actors away.

What Health Must Do Now

PharMerica posted a statement on its website stating that it is taking extra steps to reduce the chances of a similar event happening again. However, the company did not mention what those steps are. Here are some suggestions.

First, prioritize hardware and device security. A single exposed endpoint – like a connected medical device or health kiosk – can lead to network infiltration. Alarmingly, roughly half of the incidents reported at The Department of Health’s breach portal originate from these sources. The sector should therefore consider unified endpoint management for comprehensive oversight of devices, users, networks, and settings. Moreover, encrypt all device communications and implement an intrusion monitoring and detection strategy.

Second, adopt zero trust. This emerging security model enforces the principle of least privilege, granting only the minimum credentials required for specific tasks. This way, healthcare institutions can decide who views and edits patient data, as well as better track such actions. Additionally, backed by continuous multifactor authentication, entry is stricter.

Third and finally, don’t forget the human element. Hackers often try to exploit those working on the healthcare frontlines via phishing or social engineering attacks. Therefore, bring staff along in your cybersecurity efforts. Continuously train the team in foundational cybersecurity and warning signs. And, especially in organizations with bring-your-own-device policies, teach them best practices to stay safe.

Patients Deserve Peace Of Mind

The good news is that healthcare organizations – by acting proactively instead of reactively – can prevent themselves from becoming another statistic. This is possible by incorporating lessons learned, responding to the growing threat landscape, and implementing robust frameworks.

Of course, there is an added degree of difficulty considering the sensitivity of health data. Not only must providers keep patient information secure, but they must keep it confidential. Here, too, tighter endpoint oversight helps ensure regulatory compliance and lower the chance of a breach, thereby improving service delivery to patients.

In the end, that’s who matters most in this conversation. Patients, living and dead, have a right to secure medical records. Similarly, doctors deserve to practice in the electronic age without threat. Strong cybersecurity infrastructure protects both sides for a healthier tomorrow.