The year 2018 has not been a healthy one for the healthcare industry, specifically when it comes to disastrous data breaches. Unfortunately, this is part of a larger trend, which does not show signs of letting up and has been affecting digital health records for years. Despite the push for better awareness among healthcare organizations at the executive level, cyber criminals continue to find creative new ways at infiltrating the medical system.
In fact, researchers recently examined data released by the U.S. Department of Health and Human Services on 1,138 health data breaches, which affected a total of 164 million patients from October 2009 through the end of 2017. Hackers got ahold of records for a total of 133.8 million patients in 233 separate incidents during this period. And all the damage they caused as a result is basically unmeasurable.
What have these hackers been up to?
In October of 2018, the personal files of more than 93,000 individuals were accessed by hackers who breached a government system connected to the HealthCare.gov website. The organization detected “anomalous system activity” in a tool that’s supposed to be used for brokers to help consumers get insurance coverage via the Federally Facilitated Exchange’s Direct Enrollment pathway. The portal was compromised between October 13 and 16, and no one knows quite how.
While the Direct Enrollment pathway for brokers was temporarily disabled, and spokespersons claim that user data is secure, it remains to be seen how this type of exposure puts consumers at risk in the future when the information accessed included names, dates of birth, address, gender and the last four digits of Social Security numbers.
How does this behavior affect patients and organizations?
The more digitized health records and systems become, the more risk we face—as people and as patients. Over the past eight to ten years, the most common types of security breaches in the healthcare industry have gone from laptop computer break-ins to stolen paper and film records to hacked network servers or emails, which now account for the largest number of breaches. It’s a sheer numbers game.
When paper records were kept in a filing cabinet, it would have been much harder to scale a phishing expedition, one hospital at a time. Now hackers can compromise an entire network with one keystroke and cause widespread panic. The ultimate impact is that healthcare organizations face not only a much greater financial risk around personal data, but also a heightened reputational risk.
Hackers or humans?
Surprisingly, malware and phishing attacks are not the top cause of data breaches. In 2017, as cited in a recent study issued by Massachusetts General Hospital physicians, theft of equipment, information by unknown outsiders, or by current or former employees accounted for 42% of cases and 472 incidents.
Other common human-caused security breaches involve employee errors like mailing or emailing records to the wrong person, sending unencrypted data, taking records home, or forwarding data to personal accounts or devices. The study noted that more than half of breaches are triggered by internal negligence and are considered, to some extent, to be preventable. When employees failed to use the encryption tools available to them—well, that’s was just downright irresponsible. Human error accounts for more than half of healthcare industry breaches alone.
How to mitigate breach risks?
Education and basic employee training are a good place to start. And can help mitigate breach risks if healthcare organizations ensure that simple protocols are followed. One such simple step is to for healthcare organizations to transition from paper to digital medical records. Experts consistently advise against the use of mobile devices for transferring protected information and instead recommend using encrypted, firewall protection and cloud-based data storage.
In addition, Ge Bai of the Johns Hopkins Carey Business School in Washington, D.C. states that “breaches related to poor communication practices can also be avoided.” He advises that healthcare organizations should require mandatory verification of the recipients, verify no private information is exposed in envelope windows for mailed documents, and ensure encryption is used for all emails.
Effective cybersecurity is not just about the technology. Often, companies buy the latest software to protect themselves from hackers, but fail to implement the data management processes and education of employees required to mitigate the risks. The majority of data breaches, and even many cyberattacks, could be prevented by human vigilance or the implementation of relatively simple security procedures.
If the past is any indicator of the future, healthcare security risks will continue to increase. It’s a safe bet that administrators are boosting budgets, cracking down on employee protocol, and shoring up network security. Whether this entails protecting patient privacy, improving healthcare data security, or preventing ransomware from infecting the endpoints and networks of organizations, they have their work cut out for them.