Anurag Kahol, CTO, Bitglass , outlines findings from the sixth annual Healthcare Breach Report (conducted by Bitglass).
The vast majority of healthcare organisations in the U.S. make use of protected health information (PHI) which includes sensitive data such as patient medical history, social security numbers, and personal financial information.
Clearly these assets should be treated with the utmost care, yet a recent study into data from the U.S. Department of Health and Human Services’ ‘Wall of Shame’, revealed that in 2019, PHI breaches affected over 27 million individuals.
The incidents are broken into four categories: hacking or IT incidents, unauthorised access or disclosure, loss or theft, and other miscellaneous breaches and leaks related to situations such as the improper disposal of data.
This presents a wide range of problems, with the number of breaches last year more than double the total number of records exposed in 2018.
The rate also doubled between 2017 and 2018, and the average number of individuals affected per breach reached 71,311 in 2019, nearly twice that of 2018 (39,739).
Additionally, this was the first time since 2016 that the number of breaches reached over 300 – the 386 incidents in 2019 represented a 33% increase over 2018. The total number of records breached has more than doubled each year; from 4.7M in 2017 to 11.5M in 2018, and to 27.5M in 2019.
The financial impact also increased with the cost per breached record in healthcare standing at $429 in 2019. Consequently, with 27.5 million records exposed last year, healthcare organisations lost $11.8 billion to data breaches.
Identifying the cause and finding a cure
Part of the problem is that healthcare databases are heavily targeted by cybercriminals as they hold a wealth of sensitive information.
This means that healthcare firms must employ the appropriate technologies and cybersecurity practices to ensure that all data within their IT systems is secure.
The fact that hacking and IT incidents were the top cause of breaches in healthcare, accounting for more than 60% of all data leakage is, therefore, not particularly surprising. Threat actors are maturing their capabilities to adapt to security measures that organisations are putting in place.
PHI is now routinely making its way to a wide range of cloud applications - not just Electronic Medical Records and other clinical systems specifically designed to store PHI - but email, files and productivity suites like Office 365. To defend against data breaches, it is vital that organisations strictly manage access control the flow of PHI, especially within the use of cloud applications.
However, healthcare organisations have become comfortable with the fact that major cloud vendors are investing security and putting an effort towards protecting data-at-rest.
This helps organisations prioritise protecting data on personal devices and when it is being shared externally. This is on the contrary to other industries, such as financial services, where the driver is to keep sensitive data from getting to the cloud in the first place.
One of the issues that healthcare organisations face is that workers are often mobile, requiring them to have remote access. Complicating matters more is the fact that clinical staff are not always employees of the organisation.
This means that IT's ability to control personal devices is even more difficult, making it absolutely necessary to have an agentless solution that can protect data wherever it goes.
Regardless of these challenges, many healthcare organisations do ensure they have the proper security tools to stop the consistent growth in data breaches. Failure to do so will only erode trust in an industry founded on the rights of individuals for long term confidentiality.