[BreachExchange] What Do We Know About Hospital Data Breaches?

Audrey McNeil audrey at riskbasedsecurity.com
Fri Feb 23 10:20:43 EST 2018


Almost every month, a new data breach hits another organization. Many of
these involve sensitive patient data at hospitals and medical centers,
highlighting the need for better security solutions within our healthcare

A recent study provides insight into the type of data breaches hospitals
face and which kinds of hospitals are most at risk.

Reported in the February issue of The American Journal of Managed Care, the
study found that improper disposal or theft of paper records and patient
films still happens more often than network attacks. However, much more
data is exposed when a cyberattack or electronic data breach occurs.

"Even with sophisticated health information technology (IT) systems in
place," the report noted, "security breaches continue to affect hundreds of
hospitals and compromise thousands of patients' data."

Ransomware Rise

The researchers, who analyzed data from a 7-year period from 2009 through
2016, pointed out that healthcare hackers no longer rely on just selling
stolen data. Instead, many use "ransomware" tactics to shut down systems
unless they are paid a financial bounty.

In May 2017, for example, a crippling ransomware hack hit the British
Health System and many others. Dubbed WannaCry and WannaCrypt, the huge
ransomware attack on May 12 hit hospitals, schools, government agencies,
and organizations around the world, locking them out of their own systems
and demanding ransom to be paid in Bitcoin.

Rare But Dangerous

Although this study found that healthcare network server breaches are
relatively rare, their effects are vast when breaches do occur. Consider,
for example, that the 10 breaches documented between 2009 and 2016 affected
a whopping 4.6 million people.

Individual laptops also emerged in the study as a major source of data
loss, "far outstripping electronic health records (EHRs) in terms of
numbers of breaches. There were 51 incidents of lost or stolen laptops
affecting 380,699 people. By comparison, there were 19 EHR breaches
affecting 44,805 people."

Which Hospitals Most at Risk?

The researchers identified 215 breaches affecting 500 or more people, over
the 7-year study period.

Breaches occurred in 185 nonfederal acute care hospitals. Of those 185
hospitals, 30 suffered more than one breach, while one hospital experienced
four separate breaches.

Teaching hospitals and pediatric hospitals were found to be more likely to
experience breaches.

Large hospitals (with more than 400 beds) were found to be more likely to
have breaches than small hospitals (with fewer than 100 beds) or medium
hospitals (with 100 to 399 beds).

Investor-owned / for-profit hospitals proved less likely to have a data
breach than nonprofit hospitals.

Research Conclusions

The authors noted that, during the 2009 to 2016 study period, hospitals
spent considerable budgetary funds upgrading their IT systems to meet
electronic health records (EHR) requirements. Much less was spent on
security during that time, despite the fact that cybercrime has been
growing more sophisticated over the past decade.

In conclusion, the researchers noted that the routine audits now required
by cyber-insurance providers may help healthcare facilities recognize and
repair their vulnerabilities before more breaches occur.

The research was led by Meghan Hufstader Gabriel, PhD, who is an assistant
professor in the College of Health and Public Affairs at the University of
Central Florida and a former economist at the Office of the National
Coordinator for Health Information Technology.

Gabriel and her team systematically reviewed records from the Office of
Civil Rights (OCR) in the US Department of Health and Human Services,
including data collected at federal acute care hospitals between October
2009 and July 2016.

In addition to Dr. Gabriel, co-authors of the research included Alice
Noblin, PhD, RHIA, CCS; Ashley Rutherford, PhD, MPH; Amanda Walden, MSHSA,
RHIA, CHDA; and Kendall Cortelyou-Ward, PhD.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180223/b67a9326/attachment.html>

More information about the BreachExchange mailing list