Attacks/Breaches
12/6/2012
04:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Most Healthcare Organizations Suffered Data Breaches

Data breach problems contagious among U.S. healthcare organizations, new reports show

Two separate reports released today show the critical condition of U.S. healthcare organizations and hospitals when it comes to data breaches, with 94 percent of healthcare organizations hit by at least one data breach and close to half suffering more than five breaches in the past two years.

The estimated cost to the healthcare industry of these breaches is now at an average of $7 billion per year, a 15 percent increase over the past three years, according to the Third Annual Benchmark Study on Patient Privacy & Data Security study by The Ponemon Institute, which was commissioned by ID Experts.

"Most hospitals have suffered at least one data breach," says Larry Ponemon, chairman and founder of The Ponemon Institute. "Fifty-four percent say that they are not particularly confident that they can detect all data loss and theft. They're pragmatic and a little on the fatalistic side."

According to a second unrelated report from The Health Information Trust Alliance (HITRUST), there were some 500 data breaches at U.S. healthcare organizations from 2009 to the present, with 21 million personal records exposed -- an estimated cost of $4 billion in damages. HITRUST included only breaches affecting 500 or more individuals, and says the numbers, which come from U.S. Department of Health and Human Services (HHS) data, signal little improvement in preventing breaches.

More than 60 percent of those breaches came at smaller-sized physician practices, of one to 100 employees. The data shows it takes a healthcare organization an average of 84 days to identify a breach, and 68 days to issue a notification of it.

"By conducting and publicizing this analysis, we believe that over time we can facilitate a fundamental shift in the healthcare industry toward achieving a state of security and privacy that is on par with other leading industries," Daniel Nutkis, CEO of HITRUST, said in a statement. "While the data itself is not terribly surprising, it does serve as a critical reminder of the education and improvement that still needs to occur across the industry, regardless of organization type and size."

The Ponemon report surveyed hospitals and clinics associated with a healthcare network (46 percent), integrated delivery systems (36 percent), and stand-alone hospitals or clinics (18 percent). A total of 80 healthcare organizations participated in the study.

"Medical files, billing, and insurance information are most likely to be breached and other types of data like business-confidential information," Ponemon says.

About half of the respondents in the Ponemon survey said their data breaches led to actual medical identify theft among their patients. "That's actually not a huge number," Ponemon says.

Mobile devices have become commonplace in healthcare settings now, adding fuel to the risk fire. Some 80 percent of the organizations surveyed by Ponemon said they use mobile devices, with half of hospital staffers using their own mobile devices to access data for their organizations. "About half are doing a little less than nothing to ensure the security of personally owned mobile devices," he says.

And cloud has come to healthcare, with 91 percent using some form of it, whether it's consumer file-sharing or for storing patient medical records.

Medical devices aren't being secured: Nearly 70 percent of healthcare organizations in the Ponemon study don't secure devices, such as wireless heart pumps, mammogram imaging systems, and insulin pumps.

What makes healthcare data even more risky is how it's handled by so many different parties. "A lot of people touch your healthcare records -- nurses, doctors, and labs -- and a lot of mistakes can be made. Healthcare people are typically focused on healthcare," not necessarily security, says Rick Kam, president and co-founder of ID Experts.

The full Ponemon report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-3636
Published: 2014-10-25
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.