Healthcare data breaches are on the rise, but there are also significant shifts happening in terms of which healthcare provider types are experiencing breaches, as fraudsters increasingly successfully target smaller specialty providers such as balance disorder clinics, sleep centers, and diagnostic service providers. The recent Persante Health Care Data Breach is the most obvious illustration of this trend. As these smaller providers store highly sensitive patient information and typically lack the same resources as larger hospitals and health systems, they are becoming prime targets for attackers.

Because of the nature of their services—diagnostic evaluations, ongoing care coordination, medical record updates, and insurance claims processing—sleep centers and clinics that provide treatments for balance disorders house a significant amount of patient information. Although from an external perspective, these providers may appear to operate at an insignificant scale, their internal systems support highly detailed personal, medical and in some cases financial information. Hackers recognize that this type of data has an elevated value because it provides a comprehensive identity profile of an individual; it is far more dangerous than just a single exposed credit card number. When attackers gain access, they often obtain a combination of names, dates of birth, insurance IDs, medical histories, and treatment information, all of which can be misused for fraud.

The volume of software platforms utilized by specialty clinics and centers contributes to cyberattacks in two ways. For example, many sleep disorder facilities use different software for their sleep studies, billing, scheduling, telehealth visits, electronic records, and most importantly, for managing their diagnostics and treatments. A consequence of having these disparate systems linked together is an increased risk for damage caused by weak integration points. If one of these systems has an outdated component (module), or even if it’s not being updated regularly through vendor-supported patch updates, there exists a possibility for unauthorised access through that one system, which could lead to a security breach. The recent incident involving Persante illustrates just how quickly an attacker can exploit a minor vulnerability to gain access to restricted records; even though this vulnerability was only in the system for a few days, it still allowed unauthorised access to protected records for several days.

Cybersecurity budgeting creates yet another risk factor for specialty healthcare providers. Specialty healthcare providers normally don’t have the capital available to them as do large hospitals/medical centers (and their associated systems). Consequently, the implementation of new security upgrades can be delayed; in addition, the implementation of system patch updates can be delayed; and, as a consequence, outdated systems continue to remain in existence. Many smaller sized clinics rely on an out-sourced IT provider to manage their systems. As a result, if a vendor has a weakness in their security protocols, the effects of that security weakness could be experienced by all organisations that are connected to the services provided by the vendor's organisation, including sleep disorder facilities and balance centers.

The damaging impact of Breaches in Sleep or Balance Clinics are immense due to the long-lasting consequences of the information that was compromised. Patients are at risk of identity theft, misuse of insurance benefits, fraudulently obtained medical Insurance Claims and/or inaccurate medical Records. Medical History is a permanent record, and cannot be changed or reissued. Medical Records are therefore repeatable and can appear on the Dark Web months or years after they have been compromised.

Healthcare/Credentials remain secure over a long period of time. If someone has been a victim of Identity Theft, for example, the stolen Credential(s) may contain Diagnostic Reports, Device Use Records, Insurance Authorizations and/or Personally Identifiable Information, none of which will lose its value. Not all of the above results will be realised at the same time. Many times, patients may begin to see the effects of Breach long after the event has occurred. The impact may manifest itself as a series of unfamiliar Medical Bills, activity on the Insurance Policy that the Patient did not Authorise or Incorrect Records that may later create issues for that patient.

The breach of Persante Health Care has made it apparent just how much of an increased risk is posed to health care facilities due to their increase in digital health care technology, and that these types of security breaches could result in the entire extent of the breach being uncovered during an investigation. With additional digital health care technologies, such as telehealth, digital monitoring, inclusion of cloud-based diagnostics, and remote access added to sleep and balance centers, the risk of a breach increases proportionately. Cybercriminals are tracking this increase in digital health care technology usage and are subsequently modifying their target selection based on that increase in digital health care technology usage.

As this trend continues to grow, it is crucial that all specialty health care organizations focus on increasing their overall cybersecurity awareness and adopting higher standards for the overall security of their digital infrastructure. It is important to note that while there is much focus on the larger hospitals and health care systems with respect to protecting patient information, the same risks are there for small, single-site diagnostic centers. Improving vendor management, enhancing the strength of their infrastructure, and ensuring that software is updated in a timely manner are all critical components of improving the overall security of the facility.

The patient information that is stored in diagnostic centers, is not just the clinical information that has been gathered about the individual, but it includes complete information about the individual's identity, health and insurance. As the patient records that are stored by small providers are transferred to cybercriminals, there are no facilities that are too small to be at risk and that the evolution of threats to the health care industry is continuing to evolve as evidenced by the recent breach that occurred at Persante Health Care.