Criminal attacks new top cause of health sector breaches, study shows

Criminal attacks are the new top cause of data breaches in the US health sector, a Ponemon Institute report has revealed

Criminal attacks are the new top cause of data breaches in the US health sector, a Ponemon Institute report has revealed.

There has been a 125% growth in these attacks in the past five years, according to the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, commissioned by risk management software firm ID Experts.

Employee negligence and lost or stolen devices still cause many data breaches in the sector, but criminals are increasingly targeting and exploiting healthcare data, researchers said.

They said this is because cyber criminals recognise that healthcare organisations manage a treasure trove of financially lucrative personal information, and that these organisations do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect healthcare data.

The study found in healthcare organisations, criminal attack accounted for 45% of breaches, compared with 12% due to malicious insiders.

The percentage of criminal-based security incidents is even higher, the study said. For instance, web-borne malware attacks caused security incidents for 78% of healthcare organisations.

Ponemon said that the latest study had been expanded beyond healthcare organisations to include business associates.

According to the researchers, this provides a broader view of the healthcare industry and shows the impact third parties have on the privacy and security of healthcare data.

The study shows that in the past year, 91% of healthcare organisations and 59% of business associates experienced a data breach.

Based on the results of this study, the report said data breaches could be costing the US healthcare industry $6bn a year.

The researchers said although there has been a slight uptick since 2010 in the investments healthcare organisations are making in protecting information, it is still not enough to address the rapidly changing cyber threat environment.

According to the study, half of healthcare organisations and business associates have little or no confidence that they have the ability to detect all patient data loss or theft.

The Ponemon Institute said healthcare organisations and their business associates share vulnerable patient data, and as a community, provide a large attack surface, with many points of access for criminals who are becoming more adept at acquiring and exploiting personal information.

Despite the changing threat environment, the study said organisations are not changing their behaviour. Only 40% of healthcare organisations and 35% of business associates are concerned about cyber attackers.

Read more about security of health data

The NHS Dumfries and Galloway health board has adopted a proactive way to protect patient data through continual vulnerability assessment

Health IT pros plan key investments this year in security, cloud and mobile technology, a TechTarget purchasing plans survey shows

Hackers have broken into a database at US health insurer Anthem said to contain the personal data of up to 80 million people

The Community Health Systems breach in 2014 provided a learning opportunity for organisations handling personal health information

But many organisations said they do not have the budget and resources to protect both electronic and paper-based patient information.

For example, 56% of healthcare organisations and 59% of business associates do not believe their incident response process has adequate funding and resources.

The study also found that the majority of both types of organisations fail to perform a risk assessment for security incidents, despite a federal mandate to do so.

Carmine Clementelli, security expert at IT services firm and Fujitsu subsidiary PFU Systems  agrees with most findings of the report, but said there are things that forward-thinking healthcare institutions are doing to avoid data breaches.

There are three simple, inexpensive and resource-light steps that any organisation can take to protect personal health information: prevention, ongoing self-assessment and hygiene, he said.

"Prevention is as key to data security as it is to health, and new proactive monitoring works in concert with existing policies and systems to ensure the safety of BYOD, and let hospitals and health-sector organisations manage who and what is on the network, without introducing network complexity or constricting personnel policies,” said Clementelli.

In terms of next-generation security, she said self-assessment includes behavioural traffic analysis and advanced intrusion prevention to monitor the network's health, and detect the viruses and malware that cyber criminals use.

“The third step is basic hygiene.  Fortunately, managing applications, permission policies and risk levels at the data and subnet levels is easier for IT than it has ever been, thanks to breakthroughs over the last year,” he said.

Clementelli said the main reason that medical records are so valuable is largely because health and insurance sector breaches typically take longer to detect than financial sector breaches.

“Three steps - prevention, ongoing self-assessment and basic hygiene - can help protect institutions and their patients from data thieves,” he said.



Read more on Privacy and data protection