Attacks/Breaches
12/6/2012
04:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Most Healthcare Organizations Suffered Data Breaches

Data breach problems contagious among U.S. healthcare organizations, new reports show

Two separate reports released today show the critical condition of U.S. healthcare organizations and hospitals when it comes to data breaches, with 94 percent of healthcare organizations hit by at least one data breach and close to half suffering more than five breaches in the past two years.

The estimated cost to the healthcare industry of these breaches is now at an average of $7 billion per year, a 15 percent increase over the past three years, according to the Third Annual Benchmark Study on Patient Privacy & Data Security study by The Ponemon Institute, which was commissioned by ID Experts.

"Most hospitals have suffered at least one data breach," says Larry Ponemon, chairman and founder of The Ponemon Institute. "Fifty-four percent say that they are not particularly confident that they can detect all data loss and theft. They're pragmatic and a little on the fatalistic side."

According to a second unrelated report from The Health Information Trust Alliance (HITRUST), there were some 500 data breaches at U.S. healthcare organizations from 2009 to the present, with 21 million personal records exposed -- an estimated cost of $4 billion in damages. HITRUST included only breaches affecting 500 or more individuals, and says the numbers, which come from U.S. Department of Health and Human Services (HHS) data, signal little improvement in preventing breaches.

More than 60 percent of those breaches came at smaller-sized physician practices, of one to 100 employees. The data shows it takes a healthcare organization an average of 84 days to identify a breach, and 68 days to issue a notification of it.

"By conducting and publicizing this analysis, we believe that over time we can facilitate a fundamental shift in the healthcare industry toward achieving a state of security and privacy that is on par with other leading industries," Daniel Nutkis, CEO of HITRUST, said in a statement. "While the data itself is not terribly surprising, it does serve as a critical reminder of the education and improvement that still needs to occur across the industry, regardless of organization type and size."

The Ponemon report surveyed hospitals and clinics associated with a healthcare network (46 percent), integrated delivery systems (36 percent), and stand-alone hospitals or clinics (18 percent). A total of 80 healthcare organizations participated in the study.

"Medical files, billing, and insurance information are most likely to be breached and other types of data like business-confidential information," Ponemon says.

About half of the respondents in the Ponemon survey said their data breaches led to actual medical identify theft among their patients. "That's actually not a huge number," Ponemon says.

Mobile devices have become commonplace in healthcare settings now, adding fuel to the risk fire. Some 80 percent of the organizations surveyed by Ponemon said they use mobile devices, with half of hospital staffers using their own mobile devices to access data for their organizations. "About half are doing a little less than nothing to ensure the security of personally owned mobile devices," he says.

And cloud has come to healthcare, with 91 percent using some form of it, whether it's consumer file-sharing or for storing patient medical records.

Medical devices aren't being secured: Nearly 70 percent of healthcare organizations in the Ponemon study don't secure devices, such as wireless heart pumps, mammogram imaging systems, and insulin pumps.

What makes healthcare data even more risky is how it's handled by so many different parties. "A lot of people touch your healthcare records -- nurses, doctors, and labs -- and a lot of mistakes can be made. Healthcare people are typically focused on healthcare," not necessarily security, says Rick Kam, president and co-founder of ID Experts.

The full Ponemon report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.