A recent report from the Journal of the American Medical Association shows just how much of a problem data security has become for hospitals and healthcare organizations. The study indicates that between 2010 and 2017, the number of individual data breaches reported by healthcare organizations increased in all but one year. Examples of reported breaches include:
- Laptop theft
- Malware or ransomware
- Sharing personal data through email
- Improper disposal of patient records
The study’s authors, Thomas H. McCoy Jr., M.D. and Roy H. Perlis, M.D., M.Sc., analyzed breaches reported to the U.S. Department of Health and Human Services Office for Civil Rights. Under federal healthcare regulations, healthcare organizations are required to report data breaches that affect 500 more people. The number of breaches reported by healthcare organizations during the time period under examination increased from 199 to 344.
Healthcare organizations are particularly attractive targets for thieves and hackers due to the high value and confidential nature of medical data. At the same time, the widespread adoption of electronic medical records increasingly puts more organizations at risk.
“Although networked digital health records have the potential to improve clinical care and facilitate learning [in] health systems, they also have the potential for harm to vast numbers of patients at once if data security is not improved,” said the study’s authors.
Losing access to important patient information can delay or hinder patient care. This is why, when healthcare providers are targeted by hackers, they’re more than willing to pay a hefty ransom to get their data back. If thieves are able to access the patient data – as opposed to just encrypting it – they are able to sell it on the dark web for prices several times higher than stolen credit card information.
The report shows that healthcare providers are targeted more frequently than health plans, although health plans are often forced to pay out higher ransoms because of their size and risk for non-compliance with federal healthcare regulations.
IT security experts often recommend that healthcare providers deploy security measures, such as advanced malware protection, anti-virus and firewalls. While these measures are necessary, they can also lead to a false sense of security, since anti-virus and firewalls can only catch a fraction of known threats. The only way for healthcare organizations to ensure they never have to pay thieves to get their patient data back is to have backup copies saved separately. Ideally, backup protection includes point-in-time retention, which enables healthcare organizations to roll back the clock on ransomware infections in order to retrieve clean copies of data. Endpoint protection for laptops and mobile devices should include advanced features, like device tracking and remote wipe, to prevent sensitive patient medical information from falling into the wrong hands. If all healthcare organizations deployed sufficient data security measures, they can slow or even stop breaches of confidential patient data, and thus deprive cyberthieves of a lucrative source of income.