Attacks/Breaches
12/6/2012
04:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Most Healthcare Organizations Suffered Data Breaches

Data breach problems contagious among U.S. healthcare organizations, new reports show

Two separate reports released today show the critical condition of U.S. healthcare organizations and hospitals when it comes to data breaches, with 94 percent of healthcare organizations hit by at least one data breach and close to half suffering more than five breaches in the past two years.

The estimated cost to the healthcare industry of these breaches is now at an average of $7 billion per year, a 15 percent increase over the past three years, according to the Third Annual Benchmark Study on Patient Privacy & Data Security study by The Ponemon Institute, which was commissioned by ID Experts.

"Most hospitals have suffered at least one data breach," says Larry Ponemon, chairman and founder of The Ponemon Institute. "Fifty-four percent say that they are not particularly confident that they can detect all data loss and theft. They're pragmatic and a little on the fatalistic side."

According to a second unrelated report from The Health Information Trust Alliance (HITRUST), there were some 500 data breaches at U.S. healthcare organizations from 2009 to the present, with 21 million personal records exposed -- an estimated cost of $4 billion in damages. HITRUST included only breaches affecting 500 or more individuals, and says the numbers, which come from U.S. Department of Health and Human Services (HHS) data, signal little improvement in preventing breaches.

More than 60 percent of those breaches came at smaller-sized physician practices, of one to 100 employees. The data shows it takes a healthcare organization an average of 84 days to identify a breach, and 68 days to issue a notification of it.

"By conducting and publicizing this analysis, we believe that over time we can facilitate a fundamental shift in the healthcare industry toward achieving a state of security and privacy that is on par with other leading industries," Daniel Nutkis, CEO of HITRUST, said in a statement. "While the data itself is not terribly surprising, it does serve as a critical reminder of the education and improvement that still needs to occur across the industry, regardless of organization type and size."

The Ponemon report surveyed hospitals and clinics associated with a healthcare network (46 percent), integrated delivery systems (36 percent), and stand-alone hospitals or clinics (18 percent). A total of 80 healthcare organizations participated in the study.

"Medical files, billing, and insurance information are most likely to be breached and other types of data like business-confidential information," Ponemon says.

About half of the respondents in the Ponemon survey said their data breaches led to actual medical identify theft among their patients. "That's actually not a huge number," Ponemon says.

Mobile devices have become commonplace in healthcare settings now, adding fuel to the risk fire. Some 80 percent of the organizations surveyed by Ponemon said they use mobile devices, with half of hospital staffers using their own mobile devices to access data for their organizations. "About half are doing a little less than nothing to ensure the security of personally owned mobile devices," he says.

And cloud has come to healthcare, with 91 percent using some form of it, whether it's consumer file-sharing or for storing patient medical records.

Medical devices aren't being secured: Nearly 70 percent of healthcare organizations in the Ponemon study don't secure devices, such as wireless heart pumps, mammogram imaging systems, and insulin pumps.

What makes healthcare data even more risky is how it's handled by so many different parties. "A lot of people touch your healthcare records -- nurses, doctors, and labs -- and a lot of mistakes can be made. Healthcare people are typically focused on healthcare," not necessarily security, says Rick Kam, president and co-founder of ID Experts.

The full Ponemon report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.