According to a recent report by Bitglass, in 2016 there were 328 data healthcare data breaches reported in the US. That’s 60 more breaches than there were in 2015. An estimated 16.6 million US citizens were exposed as a result. The breaches were caused by various hacks, lost or stolen devices, and unauthorized disclosure of sensitive information.
However, while the number of reported breaches are increasing, the overall number of compromised records have decreased for the second year in a row, and it look like this trend will continue in 2017.
The information from the Bitglass report was sourced from a database maintained by the U.S. Department of Health and Human Services. This database is referred to by some as the “wall of shame”, and is required by the Health Insurance Portability and Accountability Act (HIPAA), to help identify the most common causes of data leakage.
The key findings of the Bitglass report are as follows:
- The total number patients affected by the breaches have gone down significantly since 2015
- Unauthorized disclosures account for nearly 40% of breaches
- The 5 largest breaches were the result of hacking
What is it about healthcare data that is so alluring?
There are a number of reasons why healthcare is data attracts malicious actors. To start with, most health records contain information such as credit card details, medical information, email addresses, social security numbers, employment information etc. This information can be used to steal the patients identity, commit fraud, or extort the patient in some way.
What can healthcare service providers do to protect sensitive patient information?
Protecting healthcare data is much the same as protecting the data that belongs to any organisation. Below are some of the key measures that need to be taken in order to protect sensitive data:
- Encrypt all sensitive information
- Ensure that passwords are strong, rotated periodically, and are not shared with other staff members
- Ensure that anti-virus software is kept up-to-date
- Implement a policy that controls the usage of USB drives, as such devices could lead to the loss/leakage of sensitive data
- Ensure that you are compliant with relevant data protection laws and regulations
- Make sure you have a clear protocol in place for dealing with breaches, should one occur
- Educating staff members about data protection is very important
- Audit everything!
The last point is perhaps the most important. Many healthcare providers are still not able to quickly and accurately determine who has access to what data, where their sensitive data is located, and when this data is accessed. Yet, despite the importance of auditing important system changes, it is often the most overlooked area of data security. Installing a sophisticated suite of auditing tools doesn’t need to be expensive. There are a number of commercial solutions that provide an extensive range of features, at a reasonable price. For example, LepideAuditor enables organisations to track system changes and permissions and provides a wide-range of detailed reports and alerts.