Insiders Are The Cause Of Most Healthcare Breaches

Ransomware and hacking incidents plagued 2016, and this year is no different, with the latest Protenus Breach Barometer midyear report finding that 2017 is on pace to exceed last year’s rate of one breach per day.

So far this year, the healthcare sector has reported 233 breach incidents to the US Department of Health and Human Services, state attorney generals and media. More than 3.16 million patient records have been breached.

The report analyzed 193 of the incidents for which it had data. Breaches have remained steady in the last six months outside of June, which saw a spike with 52 incidents. And March saw the most patients affected, with 1,360,961 records breached.

“The healthcare sector will only stop being so vulnerable when the advances in data collection, sharing and analytics are matched with similar advances in our understanding of how to protect patient data,” said Protenus Cofounder and President Robert Lord.

“Healthcare has invested tens of billions of dollars in deploying systems to leverage data to improve patient outcomes, and appropriately so,” he continued. “But we still have massive problems with the abuse of that data and those systems.”

So what are the biggest threats plaguing healthcare in 2017? Insiders and hackers.

Hacking accounted for 75 breaches this year, with 1,684,904 patient records impacted. Malware and ransomware were specifically mentioned in 29 of these incidents, but the report found there were many additional incidents where malware was reported as hacking or an IT incident.

Officials expect more organisations to report ransomware attacks this year, as HHS updated its ransomware reporting requirements in Aug. 2016. The update places the burden of proof on the provider to demonstrate data remained inaccessible or weren’t exfiltrated.

Insiders are also remaining a constant challenge for healthcare, accounting for 96 incidents or 41 percent of data breaches this year so far. More than 1.17 million patient records were breached by insider error or wrongdoing.

Wrong-doing is rife to cause significant damage, as it’s rarely detected immediately. For example, Anthem reported this week an employee of its Medicare insurance coordination services vendor was stealing and misusing Medicaid member data from as early as July 2016. The breach wasn’t found until April.

Another issue plaguing the healthcare sector is that other types of external attacks have been underreported or unreported. Thousands of databases in all sectors have been wiped or the data were exfiltrated. The report found that only few of these were reported to HHS.

The FBI has also reported that these ‘ransacking’ incidents or targeted databases aren’t being reported.

“Healthcare executives, at a fundamental level, should stop thinking about security and privacy as a cost center and more as a strategic pillar of their organisation,” said Lord. We've continued to see increased awareness and incremental improvements, “but not the needed dramatic leap forward.”

To Lord, the leap will be driven by CISOs and Chief Privacy Officers, “dramatically increasing investment in these areas to match other industries and leveraging the use of advanced analytics to detect inappropriate uses of patient data.”

“A culture of trust, comprised of dual pillars of privacy and security, must come from the highest levels of the organisation.”

Healthcare IT News

You Might Also Read:

8 Major Problems Healthcare CIOs Are Facing:

Is It Really Possible to Protect Your Health Data?:

 

 

 

 

« Protecting Future Cars from Cyber Attacks
Australian Spy Data Helps Business Cyber Threats »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

4N6

4N6

4N6 is a privately-owned firm founded with the goal of providing expert knowledge of computer forensics.

Cyber Future Foundation (CFF)

Cyber Future Foundation (CFF)

CFF was established to create a cyberspace where digital commerce and innovation can thrive based on trust and respect to individual privacy.

Polyverse

Polyverse

Polyverse offers application security, zero-day defense, proactive cyber resiliency and more. Protect your critical applications with moving target defense.

Regulus Cyber

Regulus Cyber

Regulus enables drones, robots and autonomous vehicles to operate safely, without malicious or accidental interference to the operation of their mission.

Riscure

Riscure

Riscure is a global test lab and tools leader for device security. Core expertise in side channel analysis, fault injection and embedded device software.

ECS

ECS

ECS is a leading information technology provider delivering cloud, cybersecurity, software development, IT modernization, and advanced science and engineering services.

CSIRT-IE

CSIRT-IE

CSIRT-IE is the body within the NCSC that provides assistance to constituents in responding to cyber security incidents at a national level for Ireland.

Entel CyberSecure

Entel CyberSecure

Entel CyberSecure is a portfolio of Cybersecurity solutions and services for the protection, defense, risk management and regulatory compliance of ICT Systems for corporations and Government.

Tutamantic

Tutamantic

Tutamantic develops software that reduces security risks and weaknesses during the architectural and design stages.

X4 Technology

X4 Technology

X4 Technology is a leader in finding the very best technology talent for some of the world’s most innovative start-ups and globally recognised brands.

Deep Mirror Automotive Cybersecurity

Deep Mirror Automotive Cybersecurity

Deep Mirror Automotive Cybersecurity make Cars & Infrastructures Cybersecure.

Berezha Security Group (BSG)

Berezha Security Group (BSG)

BSG is a cybersecurity consulting firm specializing in all aspects of application security and penetration testing.

Belcan

Belcan

Belcan is a global supplier of engineering, manufacturing & supply chain, workforce and government IT solutions to customers in the aerospace, defense, automotive, industrial, and private sector.

Framatome

Framatome

Framatome Cybersecurity portfolio is directly inspired by its unique experience in nuclear safety for critical information systems and electrical systems design.

NVISIONx

NVISIONx

NVISIONx data risk governance platform enables companies to gain control of their enterprise data to reduce data risks, compliance scopes and storage costs.

GetHacked.ca

GetHacked.ca

GetHackded.ca is a certified company offering penetration testing and specialized cybersecurity services.