Healthcare Security Improving But Still Needs Treatment

First quarter year-over-year data breach numbers declined in 2013, but data security black eyes still a symptom of healthcare's need for improved database security
As we come to the close of the first quarter, data breach numbers show a favorable trend in healthcare as the number of breach incidents and breached records at these organizations is decreasing relative to the same period last year. Security experts say that the early numbers could point to increasing pressure by federal regulators who are adding more teeth to HIPAA enforcement and consequently driving meaningful changes within the healthcare vertical. Nevertheless, 2013 so far has seen more than a few healthcare organizations suffer from embarrassing data security lapses, and it's clear there's still work to be done, experts say.

"In the US, federal regulators are very focused on healthcare in terms of their rulemaking and enforcement efforts under HIPAA," says Andy Green, technical content specialist for Varonis, who explains that practitioners he talks to are acutely aware of the pressure. "With recent changes to HIPAA, the penalties have become more severe--with a maximum of up to $1.5 million in annual fines."

He points to recent settlements against Massachusetts Eye and Ear Infirmary and the Alaska Department of Health and Human Services as visible examples of how regulators are cracking down.

[Why isn't DAM taking hold in the enterprise? See Five Hurdles That Slow Database Security Adoption.]

But many security pros often warn that compliance with regulations does not necessarily mean improved security, so are these pressures actually making a dent in healthcare breach statistics?

The numbers aren't definitive and may only be correlational, but this year's healthcare data breach incidents point to "yes." In a study of publicly reported data breaches cataloged by the Privacy Rights Clearinghouse, Dark Reading found that the first quarter healthcare breaches in 2013 have gone down by about 30 percent compared to figures from this point in the year in 2012. After normalizing the data a bit by erasing an anomalous 2010 breach at Cord Blood Registry that seems to have been erroneously included in the 2013 year-to-date tally, the number of reported records breached has gone down by nearly 80 percent.

In other words, reported incidents are not just decreasing in number, but also in severity.

This tracks with a report out month by security consultancy Redspin, which found that even though the number of health care breaches involving patient health data increased by 21 percent in 2012, the corresponding number of records impacted dropped by 77 percent.

However, Redspin's analysis warned that these improvements may lead to complacency and that healthcare organizations should be worried that they may become more relevant targets to external hackers in 2013 and beyond.

"We expect that the low incidence rate of hacking during the past few years was the calm before the storm," the report read. "It is crucial for healthcare providers to “up their game” when it comes to security defenses."

And in spite of improved numbers so far this year, the healthcare industry hasn't gone unscathed in 2013. In fact, in the last week two high profile healthcare breaches have hit the headlines—both by the loss of data on missing laptops.

The first, a compromise of an as-yet undisclosed number of patients at the University of Mississippi Medical Center, was caused by the disappearance of a laptop shared by hospital clinicians. The second was the compromise of 4,000 patient records at the Oregon Health and Science University when a surgeon's laptop was stolen while he vacationed in Hawaii. Both highlight one of the biggest database security issues in healthcare today.

"Healthcare breaches have often been the result of employees taking data from databases and then storing the records as unencrypted, inadequately permissioned data on file servers, or even worse, transferring the results to poorly secured laptops and other personal devices," Green says. "IT in healthcare orgs should be taking a closer look at what happens to information that’s been downloaded from databases and then made its way into spreadsheets, documents, and presentations on file servers."

The need for this scrutiny will only grow as more health records are digitized and the odds grow for even more unstructured data hitting file systems. Employees often assume files they're working on don't contain private medical data, only to realize after a device is stolen that they're wrong.

If healthcare organizations are to minimize the risks of these kinds of gaffes, they need to take a data-centric approach to security, says Dave Anderson, senior director of marketing for Voltage, an encryption vendor.

"I think many health care organizations are making improvements in securing their sensitive data, however, they are struggling with trying to protect their data with ineffective point solutions that don’t directly protect the data itself, which is the most critical asset to protect," Anderson says. "I think we’ll continue to see breaches and data losses occur within healthcare, as within other industries, until companies start to protect the data itself."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.