It has been reported by the HIPPA Journal that more than 38 million healthcare records were exposed in breaches throughout 2019. October in particular was the month with the highest number of data breaches being formally reported by the healthcare sector. 28 of the incidents were caused by unauthorized access or disclosure, while 18 of them originated from hacking or IT incidents. This shows that the healthcare industry is still a target that is both appealing and easy to attack.
Over 38 Million Healthcare Records Exposed in Breaches Over 2019 – by @Ionut_Ilascuhttps://t.co/YxuLldSwZs
— BleepingComputer (@BleepinComputer) November 26, 2019
Commenting on the story are the following cybersecurity professionals:
Healthcare information is some of the most sensitive of personal information. While it is important to have healthcare information readily available to medical professionals, care needs to be taken that the information is not made available to criminals trying to gain access.
It\’s not that there is a lack of data protection tools and procedures. Encryption, multi-factor authentication, data access models and such all exist. What we have is more of a lack of willingness, or awareness to implement strong data protection controls, in some cases for good reason. But broadly speaking this is a cultural issue, where medical institutes by and large do not consider security requirements, and do not drill in security through every role. Until we see cyber security being embedded into the culture of healthcare organisations in the same way that we try to combat the spread of germs with constant reminders and availability of anti-bacterial hand wash, we will continue to see breaches occur.
“Considerably more health records are currently being sold via the Dark Web. Even if we ignore old dumps, duplicates and fakes, we will likely arrive at a substantially higher number. The reported number is composed of identified and reported breaches, but that is just the tip of the iceberg. Most of the breaches are, however, never detected due to their sophistication or inadequate level of cybersecurity and breach detection.
\”Worse, with the rapid proliferation of outsourcing and sensitive data handling by numerous third-parties, breaches stemming from external providers is unclear but probably of immense size. Continuous security monitoring and anomaly detection, asset inventory and attack surface management enhanced with well-thought-out and properly enforced third-party risk management is crucial for an effective cybersecurity strategy.”
Healthcare information is some of the most sensitive of personal information. While it is important to have healthcare information readily available to medical professionals, care needs to be taken that the information is not made available to criminals trying to gain access.
It\’s not that there is a lack of data protection tools and procedures. Encryption, multi-factor authentication, data access models and such all exist. What we have is more of a lack of willingness, or awareness to implement strong data protection controls, in some cases for good reason. But broadly speaking this is a cultural issue, where medical institutes, by and large, do not consider security requirements, and do not drill in security through every role. Until we see cybersecurity being embedded into the culture of healthcare organisations in the same way that we try to combat the spread of germs with constant reminders and availability of anti-bacterial hand wash, we will continue to see breaches occur.
To ensure patients’ care and safety, healthcare organizations must ensure that their environment is duly protected against unauthorized changes and misconfigurations, which can make their environment susceptible to a cyber-attack. Given the increased cyber-attacks against healthcare organizations, it is simply no longer sufficient to merely be compliant with security frameworks. When retaining this kind of data, it is critical to choose an encryption solution that not only protects the database instances, but also provides protection for data in transit and at rest.