Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Hospital Security Programs Ailing, Study Says

Patient data at risk due to lack of attention to policies, regulations

Security consultant's warning: Hospitals can be dangerous to your personal information.

From 2006-2007, more than 1.5 million patients' personal information was exposed through hospitals alone, according to a study released earlier this week by research firm HIMSS Analytics and Kroll Fraud Solutions, a risk management firm. That doesn't count insurance companies, pharmaceutical companies, or individual doctors' offices.

And those are only the breaches we know about. Some 44 percent of hospitals that experienced a breach last year did not inform the patients whose records were affected, according to the study.

Hospitals are not paying enough attention to security issues, and the steps they are taking are often ineffective, the HIMSS/Kroll study says. While there is a high awareness of the security requirements described in Health Information Portability and Accountability Act (HIPAA) among hospital IT professionals, most hospitals are putting too much emphasis on compliance and not enough on real security vulnerabilities, the study says.

This lack of attention could lead to real problems for individuals down the road, the study warns. Hospitals are often a source for birth, health, and death records that can be very valuable to criminals, and patient data breaches are among the most difficult to clean up, because compromises or changes can affect insurance eligibility or even patient safety if the data is manipulated.

Yet, despite these risks, more than 13 percent of hospitals report experiencing at least one breach in the past year, according to the HIMSS report. Identity theft was three times more likely to occur at a larger facility (over 100 beds) than at a smaller facility (under 100 beds).

And the situation is not getting better, the researchers warn. Of the hospitals that admitted experiencing a breach, 62 percent identified the source as unauthorized use of information, while 32 percent said the breach occurred due to wrongful access of paper records.

"Noticeably absent were breach sources associated with malicious intent, such as stolen computers and deliberate acts by unscrupulous employees," the report states. This suggests that while hospitals are focusing their efforts on protecting patient records from curious employees or accidental compromises, they have not built sufficient controls against intentional theft or fraud, the researchers say.

Statements about hospitals' efforts to protect patient data support the researchers' conclusions. For example, many hospitals said one of their chief strategies for defending against compromises is user education -- which does little to protect against malicious intent, the researchers note.

"There is an over-reliance on employee education and disciplinary action as effective prevention and response techniques that do not address the incidence of malicious intent that is responsible for the industry's largest and most damaging breaches," the study says. The researchers call for a "paradigm shift" toward developing security defenses against malicious attacks as well as inappropriate access.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8015
PUBLISHED: 2020-04-02
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1.
CVE-2020-1927
PUBLISHED: 2020-04-02
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
CVE-2020-8144
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
CVE-2020-8145
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
CVE-2020-8146
PUBLISHED: 2020-04-01
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...