Healthcare Data Breaches 2017: 4 Steps to Self-Check
Data breaches are becoming a more serious threat than ever before, especially within the healthcare sector. Many medical organizations have been attacked by hackers in the past five years. So, how can caregivers protect themselves to avoid data breaches in healthcare?
What is a healthcare data breach? A data breach is an illegal or unauthorized access to any kind of a data by a software, application, or individual. Data breaches are usually aimed at viewing, modifying, publishing, stealing, removing, or copying information in order to gain profit from it or harm a data owner. In healthcare, the data can include patient health information (PHI), medical records, clinical trial results, etc. A data breach occurs when a hacker, software, or any other person accesses a repository by using security system vulnerabilities, or in the case of its absence. A report provided by the Ponemon Institute shows that healthcare security breaches could cost the industry around $6.2 billion. The survey also states that 79% of medical organizations experienced two or more data breaches in the past two years, though, most of them affected fewer than 500 records, which is why these cases were not reported to the US Department of Health and Human Services (DHHS). Below, we will consider the biggest recent healthcare data breaches that occurred in 2017.
2017 Data Breaches in Healthcare
According to statistics provided by cyber security vendor, NTTSecurity (previously Solutionary), 88% of ransomware attacks in the second quarter of 2016 were aimed at the healthcare sector, with only 4% at the financial industrye. 62% of all attack types were web application attacks (24%), malicious software or malware (19%), and application specific attacks (19%). In that time, all cyber attacks on the healthcare industry led to about 12 million breached records, according to a report published by HealthcareDive. So, what kind of breaches did the healthcare industry suffer in 2017?
National Health Service Hit by #wannacry Ransomware
On May 12th, 16 organizations in England and Scotland under the National Health Service were affected by a ransomware attack. The investigation determined that this was an attack by ransomware called Wanna Decryptor. Within only two days, #wannacry ransomware affected 150 countries, and paralyzed each system’s ability to treat patients as medical employees could not access patient data. Attackers demanded £415,000 GBP ($535,558 USD) with the threat that, if this amount was not paid, they would destroy all files. In a 2016 IBM survey, it was noted that 70% of healthcare organizations which had been hit by ransomware attacks, resulted in paying the criminals to restore the data.
Molina Healthcare’s Vulnerability
On May 26th 2017, Molina Healthcare’s patient portal was shut down due to serious vulnerabilities that allowed any patient to disclose other patients’ medical records by changing a number in the URL address. It is unknown how many medical claims were disclosed, as the system did not require any authentication to access the PHI; however, the Medicaid and Affordable Care Act insurer serves 4.8 million people across 12 states.
Indiana Medicaid’s Health Information Breach
On May 10th 2017, Indiana Medicaid found a live hyperlink to its patients’ data. As the healthcare organization stated at the time, the disclosed information could be used inappropriately, because it contained the following data:
Medicaid ID numbers;
Names and addresses of doctors;
Doctors’ paychecks; and,
Dates of services.
1.1 million patients’ records were disclosed, with an investigation showing that the data had been publically available since February 2017.
Theft in Washington State University
In April 2017, a hard drive was stolen from Washington State University containing survey participants’ names, PHI, and Social Security numbers. The university staff found an unlocked safe that was missing the hard drive which contained unencrypted backup files from their research center. As a result, the personal data from 1 million people was stolen.
HealthNow Networks Blunder
HealthNow Networks, a Florida-based telemarketing company, used to provide medical supplies to seniors who utilized diabetic equipment. The company had hired a contractor for software development, as they needed to create a customer database of nearly 1 million seniors. Three years ago, the project was abandoned, but it was discovered that the unencrypted database backup, which was uploaded to the Internet at that time, was still accessible in April 2017. The information contained the following:
Dates of birth;
Health insurance carriers;
Social Security numbers; and,
The contractor could not explain why the database had never been deleted. Unfortunately, the company’s blunder and the developer’s unprofessionalism led to the disclosure of 918,000 seniors’ personal information.
Ransomware Attack on Airway Oxygen
Airway Oxygen, a home medical equipment supplier, experienced a ransomware attack in April 2017 when a hacker managed to install malware by obtaining access to the network. With the malware installed, employees could not access the PHI in the database. The information included such data as names, dates of birth, addresses, health insurance details, phone numbers, and diagnosis information. After the incident, the company changed all passwords for vendors, users, and applications. Unfortunately, the main cause of the successful attack was due to the fact that Airway Oxygen did not have a proper security system.
Healthcare Data Breach Forecast
Experian, a global information services agency, recently published its 2017 forecast that describes the situation concerning cyber security and cyber attacks in the healthcare industry. One of the top five predictions is that medical organizations, in comparison with other industries, will suffer the most from new cyber attacks. The sobering forecast can be explained by the fact that healthcare organizations are the most vulnerable entities among all companies, with security systems often remaining outdated and easy for criminals to hack. Furthermore, hackers can always find convenient customers quite easily for the sale of stolen patient information.
The report outlines that the top type of PHI for hackers is electronic medical records. With emerging trends to deploy mobile applications in healthcare, caregivers create new and easy ways for cyber criminals to cash out. Such innovations open new vulnerabilities for those who want to get profit by reselling PHI. Taking into account that federal health regulators have obtained more than $16 million settlements from only five entities for PHI privacy violations, medical organizations must implement effective measures to prevent data breaches.
How to Prevent Security Breaches in Healthcare
Continuing learning and education around known incidents related to PHI breaches is crucial for determining an effective set of measures that will help caregivers avoid hacking attacks, unauthorized health data disclosures, and tremendous HIPAA violation fines imposed by federal health regulators. Having considered, the latest health data breaches, above, we can determine the reasons why they occur, and how we can avoid them. With a growing focus of hackers on caregivers, healthcare organizations need to implement modern effective cyber security systems that can prevent ransomware attacks and help avoid data breaches all together. Let’s consider some necessary measures that will definitely be helpful in doing so.
Annual HIPAA Security Risk Assessments
Regular risk analysis is one of the HIPAA requirements. It is necessary to plan the budget in a way that allows the organization to conduct a risk assessment at least once a year. With the implementation of new IT systems and policy enhancements, new vulnerabilities are likely to emerge, which is why periodic risk analysis, together with continuous monitoring, can ensure that security holes are detected in a timely manner. Such a simple measure will help avoid any data loss in the event of a ransomware attack.
You may wish to approach an IT specialist who has professional and proven experience creating protected software and HIPAA compliant solutions. This will increase your chances of conducting an effective analysis that will help detect all inner vulnerabilities and create a strict plan of necessary countermeasures. Archer-Soft, our professional team of software developers and cyber security specialists, will conduct efficient penetration tests on your healthcare organization and provide you with a comprehensive plan of measures that will ensure full security across all your systems.
Data Encryption on Portable Devices
Data encryption is not only an effective measure that helps avoid data breaches, it is actually a HIPAA requirement that ensures that third parties cannot gain access to patient data. In fact, the use of portable devices in healthcare organizations creates a serious risk of data disclosure. If, however, any information is encrypted, it is protected from unauthorized access, thus closing the gap for data breaches and trendous fines for PHI privacy violations. This rule has to be written in the policy of any medical organization.
Continuous HIPAA Education
The implementation of modern cyber security systems, IT infrastructure enhancements, and encrypting any data in your entity are actually worthless measures if your staff are not aware of the importance of these processes. That is why it is so important to conduct regular education sessions and refresher training, in order to increase security awareness among medical employees. Even if your employees claim to be familiar with all measures and rules, such training will ensure they are fully up-to-date and the rules and requirements are fresh in their mind on a regular basis.
Access Attempt Monitoring
Healthcare employees must have limited data access, based on their specialization and operational requirements. Inner medical systems have to record all data access attempts and store a corresponding log file in the database. This will help with the timely detection of a cyber threat and make it possible to apply necessary countermeasures to avoid security breaches in healthcare organizations.
Recent data breaches in the healthcare sector show that caregivers have to approach cyber security in a serious and responsible manner. Every measure matters, and precaution is always required. 2017 is the time when hackers will increasingly focus their efforts on healthcare organizations, which is why caregivers should pay attention to the cyber protection of their entities. Archer-Soft has been working with healthcare clients for 17 years and we have obtained a lot of experience creating mobile applications, web services, online platforms, and software in the healthcare industry. Upon request, you will receive a custom and fully secure solution that will protect your organization from ransomware attacks and prevent data breaches. Contact our team at firstname.lastname@example.org and forget about cyber threats!