Criminal attacks new top cause of health sector breaches, study shows

Criminal attacks are the new top cause of data breaches in the US health sector, a Ponemon Institute report has revealed

Criminal attacks are the new top cause of data breaches in the US health sector, a Ponemon Institute report has revealed.

There has been a 125% growth in these attacks in the past five years, according to the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, commissioned by risk management software firm ID Experts.

Employee negligence and lost or stolen devices still cause many data breaches in the sector, but criminals are increasingly targeting and exploiting healthcare data, researchers said.

They said this is because cyber criminals recognise that healthcare organisations manage a treasure trove of financially lucrative personal information, and that these organisations do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect healthcare data.

The study found in healthcare organisations, criminal attack accounted for 45% of breaches, compared with 12% due to malicious insiders.

The percentage of criminal-based security incidents is even higher, the study said. For instance, web-borne malware attacks caused security incidents for 78% of healthcare organisations.

Ponemon said that the latest study had been expanded beyond healthcare organisations to include business associates.

According to the researchers, this provides a broader view of the healthcare industry and shows the impact third parties have on the privacy and security of healthcare data.

The study shows that in the past year, 91% of healthcare organisations and 59% of business associates experienced a data breach.

Based on the results of this study, the report said data breaches could be costing the US healthcare industry $6bn a year.

The researchers said although there has been a slight uptick since 2010 in the investments healthcare organisations are making in protecting information, it is still not enough to address the rapidly changing cyber threat environment.

According to the study, half of healthcare organisations and business associates have little or no confidence that they have the ability to detect all patient data loss or theft.

The Ponemon Institute said healthcare organisations and their business associates share vulnerable patient data, and as a community, provide a large attack surface, with many points of access for criminals who are becoming more adept at acquiring and exploiting personal information.

Despite the changing threat environment, the study said organisations are not changing their behaviour. Only 40% of healthcare organisations and 35% of business associates are concerned about cyber attackers.

Read more about security of health data

The NHS Dumfries and Galloway health board has adopted a proactive way to protect patient data through continual vulnerability assessment

Health IT pros plan key investments this year in security, cloud and mobile technology, a TechTarget purchasing plans survey shows

Hackers have broken into a database at US health insurer Anthem said to contain the personal data of up to 80 million people

The Community Health Systems breach in 2014 provided a learning opportunity for organisations handling personal health information

But many organisations said they do not have the budget and resources to protect both electronic and paper-based patient information.

For example, 56% of healthcare organisations and 59% of business associates do not believe their incident response process has adequate funding and resources.

The study also found that the majority of both types of organisations fail to perform a risk assessment for security incidents, despite a federal mandate to do so.

Carmine Clementelli, security expert at IT services firm and Fujitsu subsidiary PFU Systems  agrees with most findings of the report, but said there are things that forward-thinking healthcare institutions are doing to avoid data breaches.

There are three simple, inexpensive and resource-light steps that any organisation can take to protect personal health information: prevention, ongoing self-assessment and hygiene, he said.

"Prevention is as key to data security as it is to health, and new proactive monitoring works in concert with existing policies and systems to ensure the safety of BYOD, and let hospitals and health-sector organisations manage who and what is on the network, without introducing network complexity or constricting personnel policies,” said Clementelli.

In terms of next-generation security, she said self-assessment includes behavioural traffic analysis and advanced intrusion prevention to monitor the network's health, and detect the viruses and malware that cyber criminals use.

“The third step is basic hygiene.  Fortunately, managing applications, permission policies and risk levels at the data and subnet levels is easier for IT than it has ever been, thanks to breakthroughs over the last year,” he said.

Clementelli said the main reason that medical records are so valuable is largely because health and insurance sector breaches typically take longer to detect than financial sector breaches.

“Three steps - prevention, ongoing self-assessment and basic hygiene - can help protect institutions and their patients from data thieves,” he said.



Read more on Privacy and data protection

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

My doctors office has put all my medical history out on the cloud for me to access. I don't need it and am very uncomfortable with it out there.. My wife and I have had data breach risks in the pas with other companies and it's getting worse each day. How is this even possibel with the laws currently in place?
Since sensitive patient data can be easily transmitted and exposed, no organization is immune from data breach
I'm in a similar situation. My group of hospitals/doctors has finally moved into the 21st century, but there are risks that go with that. I love sending an email to my doctor to discuss prescriptions, conditions and plan visits. I think the issue here is like any tech solution...not everyone knows how to secure their communication. Perhaps the planned goal should be one where some education is included before everyone starts using this tool. I know I'm not going to share anything extremely private via email, but there are lots of people who don't understand how or where they can draw the line. It will take some time, but online discussions save time and keep people connected.