New Healthcare Data Security Study Released

By Richard Anderson

A new healthcare data security study has been published in the JAMA (The Journal of the American Medical Association) which confirms that the number of healthcare data hacking incidents is indeed on the rise.

Kaiser Permanente Healthcare Data Security Study Shows Healthcare Hacks Have Doubled in 12 Months

The latest healthcare data security study was conducted by Kaiser Permanente, an integrated managed care consortium, based in Oakland, California.

The healthcare data security study looked at data between 2010 and 2013, with the number of reported incidents being deemed to have doubled during that period. In 2010, security incidents attributed to hackers stood at 5% of the total number reported. In 2013 that figure had almost doubled to 9%.

What is particularly worrying is that once hackers gain access to a computer or server, they are able to obtain vast quantities of data. The Anthem hacking incident earlier this year is a good example. Thieves were able to obtain the records of 78.8 million of the company’s health insurance customers, while the Premera data breach exposed the healthcare data of 11 million individuals. In 2014, Community Health Systems suffered a data breach caused by hackers that exposed 4.5 million records.

Dr. Vincent Liu was the lead author of the study and works in the research division of the company in Oakland, California. He said, “Our study demonstrates that data breaches have been and will continue to be a persistent threat to patients, clinicians, and health care systems,” he also pointed out the seriousness of the attacks by hackers and the huge volume of individuals that they can affect.

The healthcare data security study involved the analysis of breach reports made to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR must be notified of all data breaches that are understood to have involved PHI, regardless of the number of individuals affected. HIPAA breaches reports involving over 500 individuals must be reported to the OCR within 60 days of discovery of the breach, while smaller breaches can be reported on an annual basis. This healthcare data security study was conducted on breaches involving more than 500 individuals.

The team found that over the period of 4 years, 949 data breaches were reported across the country as a whole. During the period under test, the number of incidents increased year on year. In 2010 212 breaches were reported, while in 2013 that figure had risen by 51 incidents to 265.

Theft of Unencrypted Devices Accounts for 60% of Breaches

The team discovered that during this period the most common cause of exposure of PHI was the theft of unencrypted devices, which accounted for 60% of the total breaches for the four year period. Data breaches can be caused by all portable devices that contain unencrypted data, including laptop computers, portable storage devices and Smartphones. Desktop computers are also a risk, as has been shown by a number of recent break in and thefts.

While mobile phones do not tend to store any where near as much data as laptops and desktops, they do carry a particularly high risk of PHI exposure unless a healthcare secure messaging app is used. Data encryption must also be used on all portable devices to ensure the risk of PHI exposure is reduced to a minimal level.

The journal published an editorial which explained that in many cases hackers are targeting healthcare organizations for the data they hold on patients, but pointed out that as a result of data breaches, some patients are withholding the information they are giving to healthcare professionals out of fear that the information may be obtained by others. The editorial points out that this may be a particular problem with “sensitive information about their health, including substance abuse, mental health problems, and HIV status.”

According to the piece, “Loss of trust in an electronic health information system could seriously undermine efforts to improve health and health care in the United States.”

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news