The attack on medical institutions for health care identity data has reached crisis proportions. The information is coveted by hackers because of the valuable PII (personal identification information) that can be used to create lines of credit and other valuable financial instruments.   

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that enforces federal civil rights laws has been issuing substantial fines for not adhering the practice and procedures outlined in the HIPAA regulations. These include:  $2.3m fine to Community Health Systems for a 6.1m data record breach and a $6.85m fine to Premera for a 10.4m breach in records.  Both were cited for failures concerning risk management and access controls.

The recent Healthcare Breach report highlights what security professionals have been saying for a while - healthcare is at serious risk from cyberattack. From an attacker's perspective, the healthcare industry is ripe for data theft, ransomware, and hybrid attacks.  The industry faces a number of challenges as well, between internet connected medical devices that vendors aren't patching, to healthcare workers who are prime targets for phishing and social engineering, and complex IT and data systems that need to simultaneously comply with HIPPA and related regulations while being able to easily share data across organizations.

Organizations need to review their cybersecurity policies, training regimens, and security stacks to make sure they're up to date and able to deal with the challenges they face.