Unprecedented growth in hospital breaches in the U.S.

Hospital breaches have been on an upward trend for years – and recent reports show that data breaches have been more prevalent than we think.

A report put together by Michigan State University noted that almost 1,800 data breaches occurred in more than 200 hospitals across the U.S. between 2009 and 2016.

On average, that’s 9 breaches per hospital!

The report assessed data that was provided by the Department of Health and Human Services (HHS) between October 2009 and December 2016.

Other research shows that, out of 257 data breaches, only 216 were reported by the hospitals.

What’s possibly even more disturbing is the fact that 33 hospitals experienced more than one breach, most of these were reportedly large major teaching institutions. As they are teaching hospitals, most departments will have students handling patient records and data, so it’s clear to point out that students may not have received the same extensive training on data protection as other employees would.

Reporting a breach

As with the U.K., U.S. healthcare organisations must notify authorities when a cyber-attack/data breach happens. This is covered by the Health Insurance Portability and Accountability Act (HIPPA). It dictates that any breaches must be notified to the HHS that affect 500 or more individuals. It also places an emphasis on the speed of reporting the data breaches, meaning companies and organisations must report any breaches within 60 days from when they first discovered the breach.

However, the report found that only 68% of healthcare organisations reported data breaches, which arguably puts millions of patients’ data at risk. There’s also a grey area surrounding when a data breach is first discovered; in order to extend the period of time given for reporting a breach, organisations may falsify the time they discover a breach.

This is shown in a ‘newly-uncovered attack’ where cyber-attackers reportedly accessed the data of 4 million patients at Advocate Health and Hospitals Corporation in Illinois. Although cyber-security experts and data protection organisations push for companies and organisations to boost their customers/users/patients’ data, one expert told Daily Mail Online that cyber-attacks are “becoming increasingly sophisticated” and it would be impossible for hospitals to guarantee the safety of medical records.

Data breaches are imminent; but they can be reduced

A current faculty member at John Hopkins University, Dr Ge Bai, notes that data breaches affect two parties:

“There is the damage to the patients because it hurts our confidentiality.”

“And then there is the damage to the hospitals because of the huge costs they incur. They have the experts who are investigating, they have to pay a subscription to the victims, and they need an emergency reaction team.”

Researchers note the unfortunate compromise that has become evidence in today’s digital age. They claim that their findings show a trade-off between ‘healthcare systems having access to information they need’ and ‘a hacker planning to spend your savings at Best Buy’.

It’s long been the case that hospital records have been a data-filled gold mine. However, experts note that most hospitals aren’t prepared for potential cyber-attacks. Dr Bai notes that hospitals “…can only mitigate, not eliminate.”

According to KPMG’s Healthcare and Cyber Security report (2015), 81% of healthcare Chief Information Officers reveal that their hospitals data has been compromised by some kind of cyber-attack at least once in the past 2 years.

Although total elimination could be impossible, healthcare organisations must do their best to lessen the chances of a data breach by implementing and continually reviewing their response plans to ensure its effectiveness.

Sources:

https://advisory.kpmg.us/content/dam/kpmg-advisory/PDFs/ManagementConsulting/2015/KPMG-2015-Cyber-Healthcare-Survey.pdf
http://www.securedgenetworks.com/blog/4-common-reasons-hospital-wireless-networks-are-an-easy-target-for-cyber-attacks
http://www.dailymail.co.uk/health/article-4391424/Hundreds-major-hospital-data-breaches-gone-unreported.html