The healthcare industry is suffering a shocking number of data breaches with reported PHI exposures increasing year on year; while many are due to healthcare IT security vulnerabilities, an alarming number are caused as a result of simple carelessness. A recent report from Experian shows that this year is the worst ever for healthcare data breaches, and many of these breaches would have been easy to prevent.
Accidental disclosure of PHI by hospital staff, lost laptops, and medical records being improperly disposed of account for a high percentage of security breaches reported each year and it is these areas of data security that must be addressed. They should be the easiest to tackle, if staff take more responsibility for their actions.
The Experian data security report indicates that this will continue to be a particularly bad year for the healthcare industry with numerous healthcare data breaches expected to be reported. Hacking appears to be on the rise, but when incidents do occur they tend to cause the biggest media buzz. It is important to remember that the majority of data breaches result from simple carelessness.
Under HIPAA, reporting requirements are strict and Experian points out that this could affect the results of its study simply because more data breaches are now being reported. However, it suggests that its data shows that healthcare IT security is in a sorry state, mainly due to a lack of respect, no funding and in all too many cases, too little is done too late to improve data security.
The Healthcare Industry under Attack
A recent SANS Healthcare Cyber Threat Report – compiled using the data collected by threat intelligence vendor, Norse – analyzed data recorded between Sept 2013 and Oct 2013. During that time the company recorded 50,000 “unique malicious events”. 72% of those attacks were on healthcare providers and 10% on Business Associates.
According to Barbara Filkins, a Senior SANS Analyst and Healthcare Specialist, “The sheer volume of IPs detected in this targeted sample can be extrapolated to assume that there are, in fact, millions of compromised health care organizations, applications, devices and systems sending malicious packets from around the globe,”
Where are the Cyber Security Attacks Taking Place?
- VPNs – 33%
- Firewalls – 16%
- Routers – 7%
- Connected endpoints (Digital video/radiology imaging software etc) – 17%
Filkins pointed out that in many cases, the systems used by healthcare providers to detect threats, intrusions and improper access are substandard, and are not “detecting malicious traffic coming from the network endpoints inside the protected perimeter.” Healthcare IT security vulnerabilities are simply not being addressed.
There are other issues. The installation of a Firewall, for example, is not sufficient by itself. Simply having a Firewall in place will not provide any protection from a hacker, or any other individual intent on viewing healthcare information if default user names and passwords are not changed. Norse CEO, Sam Glines, points out that “Many firewall devices with a public-facing interface, for example, still use the factory username and password. The same is true of many surveillance cameras and network-attached devices such as printers”.
Data Security Must be Improved
A hacker is not needed to break in in such cases. A simple internet search will reveal the default login names and passwords. Mobile health security is also a major issue, with health apps and patient portals often lacking appropriate controls. Without pin locking and encryption, mobile health apps are insecure, yet many healthcare providers have failed to identify even basic security vulnerabilities. These apps must be subjected to a full risk assessment, and IT security professional should try to break into their own systems to find out just how easy it is.
A combination of low investment, increased risk of attack and a lack of attention to IT security has produced the current situation, but with heavy fines possible and audits looming, covered entities must invest in security now.
It is essential that the implications of a breach are considered and communicated to executive staff, that network administrators change all default access codes and implement other “basic levels of security”. Addressing these basic healthcare IT security vulnerabilities can make a huge difference and greatly reduce the number of data breaches suffered by the industry.