With data breaches being reported almost on a weekly basis, healthcare organizations are struggling to plug holes in information security leaks.
By the end of October, 2014, the US Department of Health and Human Services, Office for Civil Rights (OCR), had reported 1,140 breaches affecting 38.7 million individuals on its breach notifications page—also known as the ‘Wall of Shame’. And more incidents are being added to the list every day.
The sheer numbers reflect the extensive range of threats healthcare organizations face in preventing data privacy and security breaches. As healthcare data proliferates, threats to security will increase and organizations will need to adopt a multi-pronged approach to fight them.
Hacking, Distributed Denial-of-Service (DDoS) attacks, loss or theft of unencrypted computing devices, and insider threats such as unauthorized access or disclosure of information are some of the major causes behind security breaches in healthcare organizations.
Hacking has been the cause of at least 95 major security breaches since 2009. With each health record fetching up to $1,000 in the underground market as compared to 25 cents for a social security number and $1 for a credit card number, health data is a hot commodity in the black market, says John Halamka, CIO at Beth Israel Deaconess Medical Center (BIMDC) in Boston.
The FBI estimates that $80 billion of the $2.2 trillion spent each year on healthcare in the United States is associated with fraud, with half of that fraud related to medical identity theft.
“In the past, hackers were MIT freshmen who attacked the Harvard network for fun. Today it's a totally different kind of attack—highly sophisticated, organized criminals attempting to get medical Identities," says Halamka.
The hacking at the Montana Department of Public Health and Human Resources is one of the largest breaches reported in the healthcare sector, affecting 1.3 million individuals.
Nearly 270 breaches related to improper disposal of paper records and unauthorized access/disclosure of information by insiders have been reported to date by HHS. With healthcare organizations increasingly adopting computerization of patient information, the threat of inappropriate access by insiders is expected to increase.
A former employee bypassed security systems and accessed the personal information of nearly 97,000 patients of New York-based NRAD Medical Associates in April this year.
Breaches due to improper handling of information were also reported. A clerical error at St. Vincent Breast Cancer Hospital led to sending letters containing personal health information to nearly 63,000 wrong recipients.
Lack of Encryption
Breaches due to loss or theft of computing devices is the probably the most predominant source of data security worries. HHS reported more than 500 major breaches by the end of October, 2014.
In February this year, eight unencrypted computers containing personal information of patients were stolen from Los Angeles County departments of health services and public services. The breach affected 168,500 individuals. Similarly, a laptop stolen from Beth Israel Deaconess Medical Center (BIDMC) in Boston had unencrypted personal information of more than 3,900 patients.
Despite the persistent threat of breaches and the hefty resolution amounts organizations have to pay for them, much of the healthcare sector is still behind the learning curve in plugging security holes when compared to other vulnerable industries—such as financial services and information technology. Many healthcare organizations still devote inadequate resources to secure and safeguard their information systems.
According to the 2014 Healthcare Information Security Today Survey, more than half of all healthcare organizations spend less than 3 percent of their IT budgets to protect data, and almost half do not have a full-time CISO or Chief Information Security Manager.
Experts and practitioners recommend a multipronged approach of ‘deterrence, prevention, detection and response’ to build a strong mechanism to counter security breaches and call on healthcare organizations to devote more resources to:
- Improve regulatory compliance by making it an organizational priority;
- Improve security awareness/education for physicians, staff, executives and board;
- Prevent and detect breaches through persistent risk analysis, mitigation and continuous learning;
- Monitor HIPAA compliance; and
- Encrypt all computing devices, including mobile devices.
Until necessary resources are allocated for breach prevention, healthcare organizations will continue to be vulnerable to increasing cyber security threats.
Shiva Gopal Reddy has a Bachelor's degree in Physics and a Master's in Applied Psychology and writes frequently on the latest research, impact, happenings and trends in digital health technology.