Analecta Cyber Company Blog: Lessons learned from major healthcare data breaches

2016-05-26

Lessons learned from major healthcare data breaches


With all the recent technology advancements toward health care digitization, incomparable quantities of personal health data are being collected, shared, and analyzed on a daily basis. Because of these, more and more risks exist to data security and patient privacy.
Even though efforts have been exerted by the public as well as the government, the frequency and magnitude of data breaches have still been increasing year over year. Studies reveal that the healthcare industry is more likely to be targeted than any other sector.

In a Brookings Institute study, a team of researchers conducted a series of 22 in-depth interviews involving key personnel across numerous healthcare providers, health insurance companies, and industry business associates. This investigation provides a comprehensive summary showing why data breaches occur. Additionally, the interview documents all the information necessary for spreading awareness to employees. It also presented information on how to prevent the same kind of breaches in the future.

The healthcare sector is being targeted quite more frequently which significantly increases vulnerability to privacy breaches, more so than any other field. Reasons for this increase in vulnerability include:
  • healthcare data are richer, having a much higher value on the black market
  • too many employees have access to medical data and patient's health records
  • medical data are stored in large volumes and for a long time, usually on a single server for the whole facility network
  • the healthcare industry adopted to the advancing information technology too late without proper security
  • the healthcare industry did not have strong economic incentives to protect against privacy breaches
Breaches of healthcare information could be disastrous for the primary reason that patient information cannot be changed. Most medical data includes sensitive information such as social security numbers, birthdays and even home addresses of patients which are mostly permanent in nature. Unlike when credit card information gets breached, the card issuer can easily reverse the charges, and swap out the credit card with a new one. This is the principle reason that medical data is worth significantly more than any financial data on the black market.

To better protect patient privacy and prevent breaches in the future, the team of researchers recommends the following policy to be implemented: health care organizations should prioritize patient privacy and allocate available resources in data protection; the Office of Civil Rights (OCR) should better communicate the details of its audits to all health facilities and organizations; communication between healthcare organizations is vital and should be exercised; OCR should establish a universal HIPAA certification system; and lastly, the healthcare sector should include cyber insurance in their organization.