I would love to tell you that we’re making progress when it comes to minimizing the number of data breaches affecting healthcare service providers across the globe, but unfortunately, it doesn’t appear to be the case. In fact, the evidence from 2019 suggests that we may well be getting worse…
In 2018, we recorded 503 healthcare related data breaches, with approximately 15 million patient records compromised.
According to the Protenus Breach Barometer, the numbers of data breaches affecting the healthcare industry have are tripled between 2017 and 2019.
The 5 Largest Healthcare Data Breaches of 2019
1. The American Medical Collection Agency (AMCA) – The AMCA, a debt collection agency for the US healthcare sector, suffered a data breach affecting more than 20 million American citizens, according to the original report by databreaches.net. Hackers were able to break into the AMCA network and steal personal information, including social security numbers, payment card and bank account information.
2. Dominion National – Dominion National, a Virginia-based insurer and administrator of dental and vision benefits, fell victim to a data breach affecting 2.9 million members. The organization was breached in August 2010, yet the breach wasn’t disclosed until April, 2019. The breach was allegedly caused by “inadequately addressed security flaw in servers”, according to an article by Healthitsecurity.com.
3. Inmediata Health Group – The group suffered a data breach after a server configuration error resulted in the exposure of personal data belonging to more than 1.5 million patients. Staff members of Inmediata Health Group became aware of the breach when they found some of their internal web pages showing up in Google search results.
4. UW Medicine – The University of Washington School of Medicine suffered a breach affecting 1 million patients. The breach was allegedly caused by a database configuration error, which was identified by UW Medicine in December 2018.
5. Oregon Department of Human Services – In January 2019, the Oregon Department Of Human Services was hit by a targeted phishing campaign that lead to 9 employees handing over credentials to cyber-criminals. The attackers were able to gain access to personal data belonging to approximately 645,000 patients.
Other notable attacks include Wolverine Solutions Group, who fell victim to a Ransomware attack in September, which affected approximately 600,000 patients. In February, Columbia Surgical Specialists fell victim to what was thought to be a Ransomware attack, affecting 400,000 patients, and UConn Health suffered a data breach affecting approximately 330,000 patients. The reality is, these cases are just the tip of the iceberg. It’s clear that we have a lot of work to do if we are to reduce the number of attacks on healthcare service providers.
Why is Healthcare Service Providers Failing to Prevent Data Breaches?
There are many reasons why healthcare providers are struggling to keep sensitive data out of the wrong hands.
To start with, unlike payment card information, where there are limits to how often it can be used, PHI (Protected Health Information) can be used multiple times, for multiple different reasons, which is one of the reasons why PHI is so valuable.
However, it’s not necessarily the type of data that is driving attacks on the healthcare industry, but the lack of security training, IT security specialists, and technologies that are available to these providers. On top of which, health records need to be accessed by many different practitioners, from many different locations, which makes keeping track of these records particularly hard.
According to the report, most security incidents were caused by phishing attacks, or attacks on third-party vendors. Ransomware attacks continue to pose a serious threat, a problem which is compounded by the fact that 56% of health providers still rely on legacy Windows 7 operating systems, which hackers will seek to exploit.
We must also confront the possibility of espionage; after all, healthcare is a critical part of a country’s infrastructure. To summarize, the reason why healthcare providers are falling victim to so many cyber-attacks is because the attack surface is simply too big for the resources that are available to them.
How Can Healthcare Providers Minimize the Chance of a Data Breach?
Naturally, the best way to prevent phishing/Ransomware attacks is to ensure that staff members are sufficiently trained to identify suspicious emails. However, service providers will also need to ensure that they have visibility into who has access to what information, from what location, and when.
Given that the average hospital shares health records with 16 different vendors, this is easier said than done. Some experts have recommended outsourcing all data storage and management to a specialized third-party, who is responsible for granting, revoking and monitoring all access to patient records. However, a third-party will still need to work alongside the hospital and/or the patient to ensure that access it granted to relevant party.
Either way, service providers will need to accept that security incidents are going to happen, and focus their attention on ensuring that they have the visibility they need to identify incidents in a timely manner, which means leveraging the best tools and technologies available.
Providers will need a data classification tool which can automatically scan directories for PHI and classify the data accordingly. They must ensure that those who have access to PHI are granted the least privileges they need to carry out their role. They need an advanced real-time auditing solution that can aggregate and correlate event logs from a wide range of platforms and present a summary of events via an intuitive dashboard, which will be closely monitored by the relevant personnel.
A lot of real-time auditing solutions are capable of detecting and responding to events that match a pre-defined threshold condition. This could be useful for minimizing the damage caused by a Ransomware attack. For example, if certain number of files are encrypted within a given timeframe, a custom script could be executed which can disable a user account or temporarily lock down all privilege accounts.
The script could stop a specific process, adjust the firewall settings, or simply shut down the affected server. In an ideal world, all affiliates and associates would be using the same system for auditing access to PHI. This would enable them to share event logs with each other, thus giving service providers a complete overview of who, what, where and when, important events are taking place.