November 26, 2019

Healthcare data breaches expose 38 million records in 2019, highlighting “cultural issue”

By Lucy Ingham

Over the course of 2019, over 38 million healthcare records have been exposed in data breaches in the US alone, according to research published today by the HIPAA Journal.

This means that this year alone, the healthcare data of 11.64% of the US population has been exposed, stolen or incorrectly disclosed.

The journal, which draws data of reported breaches from the US Department of Health & Human Services’ (HHS) Office for Civil Rights, also found that October was the worst month so far for data breaches, with a 44.44% month-over-month increase in healthcare data breaches.

The news has been met with concern by the cybersecurity community, particularly given the sensitive nature of healthcare data.

“Healthcare information is some of the most sensitive of personal information,” said Javvad Malik, security awareness advocate at KnowBe4.

“While it is important to have healthcare information readily available to medical professionals, care needs to be taken that the information is not made available to criminals trying to gain access.”

Combatting healthcare data breaches

While breaches of healthcare data is undoubtedly serious, arguably the bigger problem is the culture surrounding the handling of healthcare data, as while the tools to protect against breaches do exists, the sector does not appear to be applying them effectively.

“It’s not that there is a lack of data protection tools and procedures. Encryption, multi-factor authentication, data access models and such all exist,” explained Malik.

“What we have is more of a lack of willingness, or awareness to implement strong data protection controls, in some cases for good reason. But broadly speaking this is a cultural issue, where medical institutes, by and large, do not consider security requirements, and do not drill in security through every role.”

For some, the solution lies in going beyond basic legal requirements, and using robust systems that make it as difficult as possible for a breach to occur.

“To ensure patients’ care and safety, healthcare organisations must ensure that their environment is duly protected against unauthorised changes and misconfigurations, which can make their environment susceptible to a cyberattack,” explained Dean Ferrando, systems engineer manager – EMEA, at Tripwire.

“Given the increased cyberattacks against healthcare organisations, it is simply no longer sufficient to merely be compliant with security frameworks.

“When retaining this kind of data, it is critical to choose an encryption solution that not only protects the database instances, but also provides protection for data in transit and at rest.”

However, for Malik, healthcare must build security best-practices that are comparable to those found in physical healthcare environments:

“Until we see cybersecurity being embedded into the culture of healthcare organisations in the same way that we try to combat the spread of germs with constant reminders and availability of anti-bacterial hand wash, we will continue to see breaches occur.”

Read more: Two years on from WannaCry, healthcare sector is “fastest industry” in fixing security flaws