[BreachExchange] Study: 23 percent of all data breaches occur in healthcare

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 9 17:51:23 EDT 2016


http://medcitynews.com/2016/05/study-data-breaches-healthcare/comment-page-1/?rf=1

A new Brookings Institution study finds that healthcare data breaches are
increasing, despite growing public awareness, increased security assurances
and rising government fines.

The study revealed that 23 percent of all data breaches occur in healthcare
and have impacted 155 million Americans in almost 1,500 breaches in the
past six years. The total number of breach victims tripled in the last two
years alone. The per-record cost for healthcare data breaches is $363, the
highest of any industry.

The 28-page study was authored by Niam Yaraghi, a fellow with Brookings’
Center for Technology Innovation. Yaraghi examined recent healthcare data
breaches and sought to explore the underlying factors leading to them and
ways to prevent future incursions. He interviewed 22 IT leaders within
healthcare provider and insurance companies.

He said that healthcare data is more valuable than many other forms of
personal identification because information such as birth dates, Social
Security and insurance ID numbers don’t change and criminals can charge
premium prices on the black market.

According to the study, digitized personal health data increasingly is
shared with insurers and other providers, contributing to the likelihood of
breaches. Yaraghi said that federal health agencies encouraged the
proliferation of electronic health records before providers and payers had
adequate security measures in place, and he believes that healthcare
organizations still have not invested sufficiently in cybersecurity.

“In the financial industry, for example, the value of cybersecurity
specialists is better understood,” he said, while noting optimistically,
that recent ransomware attacks have served as “wake-up calls” for many
healthcare organizations.

“They’ve learned that they can no longer operate the way they did. Security
is becoming a much more integral part of their healthcare system. They need
to treat cyber security with the same priority as other departments,”
Yaraghi said.

He said it’s unrealistic to expect small community hospitals to muster the
resources to combat well-funded and determined criminal organizations
intent on breaching their data, particularly when large national banks,
retail chains and even the federal government have been hacked.

“That should not prevent hospitals from keeping their systems updated and
avoiding the kinds of human errors responsible for most data breaches,”
Yaraghi said. He pointed out that healthcare organizations can adopt better
practices and policies to prevent lost laptops, misplaced hard drives and
employees clicking on suspicious files hiding malware and spyware.”

He recommended healthcare organizations prioritize patient privacy and
protect it. At the very least, healthcare firms should share information
about data breaches and exchange best practices and lessons learned.

“Right now that information sharing about security and privacy practices is
not widely shared,” he said.

Yaraghi further advised healthcare organizations to invest in cyber
insurance, though he conceded the market for such products is not yet
mature.

Yaraghi said that the HHS Office for Civil Rights, which is charged with
investigating healthcare data breaches, should better disseminate
information about its audits and investigations. He said government
penalties imposed for healthcare data breaches have been inadequate.

“There should be less emphasis on punishment and more on prevention,” he
said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160509/19160880/attachment.html>


More information about the BreachExchange mailing list