Attacks/Breaches
12/6/2012
04:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Most Healthcare Organizations Suffered Data Breaches

Data breach problems contagious among U.S. healthcare organizations, new reports show

Two separate reports released today show the critical condition of U.S. healthcare organizations and hospitals when it comes to data breaches, with 94 percent of healthcare organizations hit by at least one data breach and close to half suffering more than five breaches in the past two years.

The estimated cost to the healthcare industry of these breaches is now at an average of $7 billion per year, a 15 percent increase over the past three years, according to the Third Annual Benchmark Study on Patient Privacy & Data Security study by The Ponemon Institute, which was commissioned by ID Experts.

"Most hospitals have suffered at least one data breach," says Larry Ponemon, chairman and founder of The Ponemon Institute. "Fifty-four percent say that they are not particularly confident that they can detect all data loss and theft. They're pragmatic and a little on the fatalistic side."

According to a second unrelated report from The Health Information Trust Alliance (HITRUST), there were some 500 data breaches at U.S. healthcare organizations from 2009 to the present, with 21 million personal records exposed -- an estimated cost of $4 billion in damages. HITRUST included only breaches affecting 500 or more individuals, and says the numbers, which come from U.S. Department of Health and Human Services (HHS) data, signal little improvement in preventing breaches.

More than 60 percent of those breaches came at smaller-sized physician practices, of one to 100 employees. The data shows it takes a healthcare organization an average of 84 days to identify a breach, and 68 days to issue a notification of it.

"By conducting and publicizing this analysis, we believe that over time we can facilitate a fundamental shift in the healthcare industry toward achieving a state of security and privacy that is on par with other leading industries," Daniel Nutkis, CEO of HITRUST, said in a statement. "While the data itself is not terribly surprising, it does serve as a critical reminder of the education and improvement that still needs to occur across the industry, regardless of organization type and size."

The Ponemon report surveyed hospitals and clinics associated with a healthcare network (46 percent), integrated delivery systems (36 percent), and stand-alone hospitals or clinics (18 percent). A total of 80 healthcare organizations participated in the study.

"Medical files, billing, and insurance information are most likely to be breached and other types of data like business-confidential information," Ponemon says.

About half of the respondents in the Ponemon survey said their data breaches led to actual medical identify theft among their patients. "That's actually not a huge number," Ponemon says.

Mobile devices have become commonplace in healthcare settings now, adding fuel to the risk fire. Some 80 percent of the organizations surveyed by Ponemon said they use mobile devices, with half of hospital staffers using their own mobile devices to access data for their organizations. "About half are doing a little less than nothing to ensure the security of personally owned mobile devices," he says.

And cloud has come to healthcare, with 91 percent using some form of it, whether it's consumer file-sharing or for storing patient medical records.

Medical devices aren't being secured: Nearly 70 percent of healthcare organizations in the Ponemon study don't secure devices, such as wireless heart pumps, mammogram imaging systems, and insulin pumps.

What makes healthcare data even more risky is how it's handled by so many different parties. "A lot of people touch your healthcare records -- nurses, doctors, and labs -- and a lot of mistakes can be made. Healthcare people are typically focused on healthcare," not necessarily security, says Rick Kam, president and co-founder of ID Experts.

The full Ponemon report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-2356
Published: 2014-07-30
Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request.

Best of the Web
Dark Reading Radio