Study reveals hospitals’ vulnerability to data breaches
A recent study released by the American Journal of Managed Care (AJMC) revealed that one third of healthcare data breaches in the US occur in hospitals. The researchers analysed breaches reported to the Office of Civil Rights (OCR). Under federal legislation, if a healthcare privacy breach affects 500 or more patients, institutions are obligated to inform the OCR about it. The details of the breach are then made publicly available on the OCR’s data breach portal.
The study looked at what type of breaches occur most often in hospitals, the kind of data that they target and how vulnerable healthcare institutions are to them. Covering breaches that occurred between October 2009 and July 2016, they discovered that 215 hospitals were hit by breaches affecting over 6.5 million individuals.
The most common type of data breach, which occurred 112 times, was physical theft which compromised approximately 1.2 million records, of which 200 thousand were paper/film while the rest were the result of misappropriation of portable devices such as laptops. The smallest number of breaches occurred at Network Server level, but at the same time these were the incidents with the highest reach, impacting over 4.6 million individuals. Another 1 million records were affected through emailing and desktop computers.
Hospital breaches and federal legislation
As healthcare systems began implementing digitalization on a large scale, the focus was firmly on the effective transition of data and processes to the electronic environment, with cybersecurity seen as a secondary concern. A recent review of cybersecurity in healthcare, showed that while healthcare organizations spend 95% of their IT budgets on adoption and implementation of policies compliant with federal initiatives, only 5% of it is spent on security.
However, due to the sensitivity of health data and its attractiveness to cybercriminals, federal legislation such as the 1996 Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) were adopted in the hopes they would set a data security standard in the healthcare sector and thus reduce the number of breaches occurring nationwide.
Despite HIPAA/HITECH however, as clearly shown by the OCR data breach portal, incidents continue to occur. The AJMC study sheds some light as to why that is: despite the fact that some hospitals invested in more advanced cybersecurity systems and two-factor and biometric authentication methods, these measures did little to reduce the possibility of data breaches. The type and size of hospitals proved to play a larger role, with pediatric and teaching hospitals running a higher risk of breaches.
Improving data protection in the healthcare industry
Given that hospitals amass millions of patient records, it is no surprise that they are often targeted by criminals, both in the physical and digital worlds. While enforcing stronger authentication policies and introducing biometrics can have a positive impact on in-hospital data access by unauthorized staff, it does little to prevent theft, authorized employee carelessness or data appropriation.
To better address these issues, hospitals need to look further than authentication methods towards tools like Data Loss Prevention that can help them monitor and better protect personal health information (PHI). Solutions such as Endpoint Protector provide predefined compliance profiles for HIPAA, which allow admins to set policies to restrict the transfer, monitor the use and create logs and reports about the movements of sensitive data. Through Device Control, the use of portable devices and ports can be blocked or restricted to trusted devices. USB Enforced Encryption can be used to ensure that any data transferred onto USBs is automatically encrypted so, in case of theft or negligence, the information will be useless to those that steal or find it.
eDiscovery on the other hand can conduct network-wide scans and identify PHIs stored on endpoints locally and, based on results, allow admins to remotely erase or encrypt data if it is found on unauthorized users’ computers. Data Loss Prevention solutions thus protect PHIs directly without relying on employees following a specific set of rules imposed on them by hospital or compliance regulations.
As massive data depositories with outdated systems and ineffectual cybersecurity policies, hospitals make ideal targets for cybercriminals looking for an easy payday. It is time for healthcare organizations to look beyond minimum compliance requirements for HIPAA/HITECH and add data security to the top of their priorities list.