Lessons Learned From Major Healthcare Breaches

Uploaded on 2016-06-30 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Health & Welfare

Huge amounts of personal health data being collected, shared & analyzed. There are more reasons to worry about patient privacy than ever.

Recent leaps in technology toward health care digitization have resulted in unprecedented amounts of personal health data being collected, shared, and analyzed on an everyday basis. Due to this proliferation in data, there are now more reasons to be concerned about patient privacy than ever. 

Despite public concerns and government’s efforts, the frequency and magnitude of privacy breaches have been on an upward trend (see figure below) and data breaches are more likely to happen in the health care industry than any other sector. In this new report, Niam Yaraghi examines the recent privacy breaches in the health care system. He uncovers underlying factors leading to these incidents, documents lessons learned, and examines how to prevent similar breaches in the future.

Yaraghi and a team of researchers conducted a series of 22 in-depth interviews with key personnel at a wide variety of health care providers, health insurance companies, and industry business associates. These interviews revealed important lessons that are generalizable across the health care industry. Yaraghi identifies and explains several reasons that the health care sector is particularly vulnerable to privacy breaches:

  • Health care data are richer and more valuable for hackers.
  • Too many people have access to medical data;
  • Medical data are stored in large volumes and for a long time;
  • The health care industry embraced information technology too late and too fast;

The health care industry did not have strong economic incentives to prevent privacy breaches; and

As Yaraghi illustrates, medical data breaches can be especially catastrophic because they contain information that cannot be changed. If credit card information gets breached resulting in an unauthorized charge, the card issuer will instantly reverse the charge, freeze the old card, and send a new one. On the other hand, most medical data includes identifiers such as social security numbers, dates of birth, and home addresses which are nearly impossible to change or reset upon a breach. Precisely because of their constant and unchangeable nature, medical data are worth more than financial data on the black market. In hopes of lessening the catastrophic nature of such attacks, Yaraghi makes the following policy recommendations to better protect patient privacy and prevent breaches:

Health care organizations should prioritize patient privacy and use the available resources to protect it

The Office of Civil Rights (OCR) should better communicate the details of its audits

Health care organizations should better communicate with each other

OCR should establish a universal HIPAA certification system
The health care sector should embrace cyber insurance

Brookings Inst

« Enhanced Attribution: An Engine To Identify Hackers
What Might ‘Brexit’ Mean For Cybersecurity In The UK? »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Andrisoft

Andrisoft

Andrisoft develops WANGUARD, an anti-DDoS Software solution that monitors IP traffic using packet-based and flow-based Sensors, and protects networks

SecurePay

SecurePay

SecurePay is Australia's premier payment gateway, with a range of secure online payment solutions for online retailers, SMEs and enterprise businesses.

Pluribus One

Pluribus One

Pluribus One develops customized solutions and other data-driven applications to secure your business and your devices.

DreamIt Ventures

DreamIt Ventures

DreamIt Ventures is an early stage venture fund that accelerates startups building transformative tech products in the fields of Healthtech, Securetech, and Urbantech.

Dataprovider.com

Dataprovider.com

Our Brand Protection Suite gives you the tools to discover trademark infringement on the Internet, such as websites selling counterfeit products, even when this is not immediately noticeable.

AUREA Technology

AUREA Technology

The photon counter SPD_OEM_NIR from AUREA Technology is designed for quantum key distribution at telecom wavelengths.

Cord3

Cord3

Cord3 delivers data protection, even from trusted administrators – or hackers posing as administrators – with high privilege.

Cyolo

Cyolo

Cyolo’s Secure Access Service Edge (SASE) platform securely connects onsite and remote users to authorized assets, in the organizational network, cloud or IoT environments and even offline networks.

Motiv ICT Security

Motiv ICT Security

Motiv is the ICT security specialist that provides public and private sector organisations with IT security solutions and services to prevent cybercrime, data theft and data breaches.

HarfangLab

HarfangLab

HarfangLab develops a hunting software to boost detection and neutralization of cyberattacks against companies endpoints.

Acumera

Acumera

Acumera is a leader in managed network security, visibility and automation services.

Zorus

Zorus

Zorus provides best-in-class cybersecurity products to MSP partners to help them grow their business and protect their clients.

Goldilock

Goldilock

Goldilock is redefining how sensitive data, devices, networks and critical infrastructure can be secured.

NASK

NASK

NASK is a National Research Institute under the supervision of the Chancellery of the Prime Minister of Poland. Our key activities involve ensuring security online.

Blue Networks & Infrastructure (BNI)

Blue Networks & Infrastructure (BNI)

Blue Networks and Infrastructure (BNI) is an innovative systems integrator and managed services provider.

CPX

CPX

At CPX, we go beyond addressing today’s security risks—we anticipate the challenges of tomorrow.