Lessons Learned From Major Healthcare Breaches

Uploaded on 2016-06-30 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Health & Welfare

Huge amounts of personal health data being collected, shared & analyzed. There are more reasons to worry about patient privacy than ever.

Recent leaps in technology toward health care digitization have resulted in unprecedented amounts of personal health data being collected, shared, and analyzed on an everyday basis. Due to this proliferation in data, there are now more reasons to be concerned about patient privacy than ever. 

Despite public concerns and government’s efforts, the frequency and magnitude of privacy breaches have been on an upward trend (see figure below) and data breaches are more likely to happen in the health care industry than any other sector. In this new report, Niam Yaraghi examines the recent privacy breaches in the health care system. He uncovers underlying factors leading to these incidents, documents lessons learned, and examines how to prevent similar breaches in the future.

Yaraghi and a team of researchers conducted a series of 22 in-depth interviews with key personnel at a wide variety of health care providers, health insurance companies, and industry business associates. These interviews revealed important lessons that are generalizable across the health care industry. Yaraghi identifies and explains several reasons that the health care sector is particularly vulnerable to privacy breaches:

  • Health care data are richer and more valuable for hackers.
  • Too many people have access to medical data;
  • Medical data are stored in large volumes and for a long time;
  • The health care industry embraced information technology too late and too fast;

The health care industry did not have strong economic incentives to prevent privacy breaches; and

As Yaraghi illustrates, medical data breaches can be especially catastrophic because they contain information that cannot be changed. If credit card information gets breached resulting in an unauthorized charge, the card issuer will instantly reverse the charge, freeze the old card, and send a new one. On the other hand, most medical data includes identifiers such as social security numbers, dates of birth, and home addresses which are nearly impossible to change or reset upon a breach. Precisely because of their constant and unchangeable nature, medical data are worth more than financial data on the black market. In hopes of lessening the catastrophic nature of such attacks, Yaraghi makes the following policy recommendations to better protect patient privacy and prevent breaches:

Health care organizations should prioritize patient privacy and use the available resources to protect it

The Office of Civil Rights (OCR) should better communicate the details of its audits

Health care organizations should better communicate with each other

OCR should establish a universal HIPAA certification system
The health care sector should embrace cyber insurance

Brookings Inst

« Enhanced Attribution: An Engine To Identify Hackers
What Might ‘Brexit’ Mean For Cybersecurity In The UK? »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

WatchGuard

WatchGuard

WatchGuard is a leader in network security, secure Wi-Fi, and network intelligence products and services for SMBs and Enterprises worldwide.

OCERT

OCERT

OCERT is the National Computer Emergency Response Team of Oman.

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

ANTIC is responsible for regulating the activities of electronic security and regulation of the Internet in Cameroon.

Tymlez Software & Consulting

Tymlez Software & Consulting

Tymlez Software and Consulting is a start-up specialised in blockchain technology for enterprises.

S2 Grupo

S2 Grupo

S2 Grupo is the benchmark company in Europe and Latin America, for Cyber Intelligence and mission critical systems operations.

Stealthcare

Stealthcare

Stealthcare is a full service, global cyber security firm offering solutions that educate, empower and protect.

Inter-American Cooperation Portal on Cyber-Crime

Inter-American Cooperation Portal on Cyber-Crime

The Inter-American Cooperation Portal on Cyber-Crime was created to facilitate and streamline cooperation and information exchange among government experts from OAS member states.

The Legal 500

The Legal 500

The Legal 500 Hall of Fame highlights, to clients, the law firm partners who are at the pinnacle of the profession. Practice areas covered include Data Protection, Privacy and Cybersecurity.

Protocol Labs

Protocol Labs

Protocol Labs is a research, development, and deployment institution for improving Internet technology.

SecurityGate

SecurityGate

SecurityGate.io is the only Integrated Risk Management platform built for OT/ICS cybersecurity. The leading Risk Assessment Platform for Critical Infrastructure.

Abacus Group

Abacus Group

Abacus Group is a global IT services firm for alternative investment firms, providing an enterprise technology platform specifically designed to meet the unique needs of financial services.

Sekoia.io

Sekoia.io

Sekoia.io is a European cybersecurity company whose mission is to develop the best protection capabilities against cyber-attacks.

EkoCyber

EkoCyber

EkoCyber partner with businesses as a value-added MSSP to provide top-tier, trusted and transparent cyber security services at an affordable price point.

BLOCX

BLOCX

BLOCX is designed to address the ever-growing challenges of managing and securing digital devices, from personal computers to corporate networks.

Netia

Netia

Netia is a Polish telecommunications company providing a range of business services including network solutions, communications, data centre and cloud, and cybersecurity.

Vantor

Vantor

Vantor is a Managed Security Services Provider (MSSP) that specializes in providing outsourced, managed cybersecurity services.