Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Hospital Security Programs Ailing, Study Says

Patient data at risk due to lack of attention to policies, regulations

Security consultant's warning: Hospitals can be dangerous to your personal information.

From 2006-2007, more than 1.5 million patients' personal information was exposed through hospitals alone, according to a study released earlier this week by research firm HIMSS Analytics and Kroll Fraud Solutions, a risk management firm. That doesn't count insurance companies, pharmaceutical companies, or individual doctors' offices.

And those are only the breaches we know about. Some 44 percent of hospitals that experienced a breach last year did not inform the patients whose records were affected, according to the study.

Hospitals are not paying enough attention to security issues, and the steps they are taking are often ineffective, the HIMSS/Kroll study says. While there is a high awareness of the security requirements described in Health Information Portability and Accountability Act (HIPAA) among hospital IT professionals, most hospitals are putting too much emphasis on compliance and not enough on real security vulnerabilities, the study says.

This lack of attention could lead to real problems for individuals down the road, the study warns. Hospitals are often a source for birth, health, and death records that can be very valuable to criminals, and patient data breaches are among the most difficult to clean up, because compromises or changes can affect insurance eligibility or even patient safety if the data is manipulated.

Yet, despite these risks, more than 13 percent of hospitals report experiencing at least one breach in the past year, according to the HIMSS report. Identity theft was three times more likely to occur at a larger facility (over 100 beds) than at a smaller facility (under 100 beds).

And the situation is not getting better, the researchers warn. Of the hospitals that admitted experiencing a breach, 62 percent identified the source as unauthorized use of information, while 32 percent said the breach occurred due to wrongful access of paper records.

"Noticeably absent were breach sources associated with malicious intent, such as stolen computers and deliberate acts by unscrupulous employees," the report states. This suggests that while hospitals are focusing their efforts on protecting patient records from curious employees or accidental compromises, they have not built sufficient controls against intentional theft or fraud, the researchers say.

Statements about hospitals' efforts to protect patient data support the researchers' conclusions. For example, many hospitals said one of their chief strategies for defending against compromises is user education -- which does little to protect against malicious intent, the researchers note.

"There is an over-reliance on employee education and disciplinary action as effective prevention and response techniques that do not address the incidence of malicious intent that is responsible for the industry's largest and most damaging breaches," the study says. The researchers call for a "paradigm shift" toward developing security defenses against malicious attacks as well as inappropriate access.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31476
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.3.37598. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
CVE-2021-31477
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
CVE-2021-32690
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
CVE-2021-32691
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).