The Losing Battle of Healthcare Data Breaches
We are still in the first few months of the year and multiple data breaches at hospitals and healthcare systems have been reported throughout the U.S.
The alarming problem with these reports is that they are published in healthcare blogs after the fact rather than having been reported to the authorities by the hospitals at the moment of occurrence. It has been mentioned before that often times a hospital will pay the ransom to have their data released by hackers to save on down-time caused by including authorities.
But data breaches should not be treated like a common cold. Patient data is put at risk and if released to the wrong hands, can ruin the lives of thousands of victims as a result.
Recently, the Denton Heart Group suffered a massive data breach when an external hard drive was stolen in January. Nearly 22,000 patients were affected as a result and as a result, Denton offered one year of credit monitoring services through Experian.
Also reported this year was Chadron Community Hospital’s breach which happened internally by an employee who had been reviewing patient records outside of the site and for unrelated reasons for a period of over five years. This breach affected over 700 patients and offered no more than advice from the hospital to request a free credit report to check whether their data had been compromised.
But what happens when the stolen data is not returned to the rightful owners?
Such is the case of the Behavioral Health Center, in Bangor, Maine in which over 4,500 records were stolen. These records included all patient data, and detailed notes from therapeutic sessions, evaluations, sex offender registrations and abuse victim information. Once the hacker obtained the records, they opted to keep them and later sold them via the dark web. (More info on the dark web can be found in the links below.) The ad placed on the dark web listed the data like any regular merchandise that could easily be found and purchased on a site like Craigslist. The vendor wanted all or nothing and even suggested to potential buyers to simply sell it back to the health center in Maine. The vendor knew about BHC’s $4M insurance policy to cover malpractice, errors, and omissions. By the following Monday, the ad title had simply changed to “SOLD.”
According to JAMA Internal Medicine, teaching hospitals and facilities with high bed counts are at greater risk of suffering data breaches. According to recent data collected by JAMA, the same 216 hospitals reported a total of 257 breaches with at least 15% of these hospitals having been attacked more than once. Data sharing has been pin-pointed as a leading factor in these breaches. Dr. Ge Bai, PHD at the Johns Hopkins Carey Business School admits, “It is very challenging for hospitals to eliminate data breaches, since data access and sharing are crucial to improve the quality of care, advance research, and improve educational standards,” Dr. Bai said. “More research is needed to identify effective and evidence-based data security practices to guide hospitals’ risk management efforts.”
According to Michael Williams, CEO at Global Healthcare IT, “Insufficient emphasis is put on the value of protecting patient data. The real issue is that it is often thought to be expensive to adequately shield healthcare records, and secondly, IT and data security is not the hospital’s core business. Any hospital’s main focus is on patient care. IT and data security tend to be an afterthought. If mandated by law, the likelihood for improved data security may better exist. At which point, who pays for it? Healthcare customers and insurance companies don’t want to pick up the bill. Nor is the federal government in the mood to spend more money in this area. In the end, only when one of the breaches becomes catastrophic will public opinion change towards healthcare data security.”
In the meantime, one solution might be for a hospital to consider a secure cloud environment, run by an experienced corporation, capable of protecting the data. To find out more about secure and federally compliant (HIPAA approved) cloud based environments, feel free to contact Michael at mikew@globalhit.com