Data breaches: Is the healthcare industry vulnerable?

A recent study indicated that healthcare data breaches are at a four-year low. However, this statistic is pretty misleading. Why? Because so far, the number of breaches are pretty on-par with past years. According to Protenus, 822,696 unique patient data has already been breached in 2018—keep in mind that this data only reflects the months of January and February. Security breaches in the healthcare sector come in many different forms, but of the 800,000-plus patient information that Protenus referenced, over a third of what has been breached stems from a third-party accessing this private information. In other words, of the 39 healthcare data breaches that occurred in the month of February, 11 stemmed from third-party vendors. Healthcare data is especially valuable because it contains so much sensitive personally identifiable information (PII)—healthcare data supports both identity theft and financial fraud. Moving forward, healthcare organizations must direct their attention to securing third-party remote access, which will prevent business associates from retrieving information that is not only private, but that is not business critical to their needs.

The FastHealth breach

When FastHealth was breached, it affected a number of the healthcare facilities it serves. Within this breach, protected health information (PHI) was taken. When they say lightning doesn’t strike twice in the same place, this was not the case for FastHealth—they were maliciously attacked by third parties two different times within a year. FastHealth’s most recent breach (mid-August 2017) was caused by an unauthorized third party that not only gained access to the web server but also took confidential patient information. How does this happen? It happens when we don’t regulate secure remote computer access for third parties. One of the most concerning parts about this breach is that there is no evidence (as of yet) that any of the patient data that was stolen has been misused. In other words, there is not enough information yet to say with certainty what the compromised data has been used for.

The Capital Digestive Care breach

Another third-party breach in the month of February happened at Capital Digestive Care. This breach made over 70,000 unique PII vulnerable, which was found out via a tip reported to DataBreaches.net. This tip led to an investigation into an Amazon bucket that was leaking patient data—a bucket did not even require a login to be accessed. Included in this breached information was: name, address, phone number, date of birth, and personal information about appointments. This is why healthcare data is so precious—it includes a lot of information patients attempt to keep private. Some of the details of the breach on the Capital Digestive Care has not yet been confirmed, however, it is clear that a third-party was the source. There is not a lot of information coming from either Capital Digestive Care, or the third-party involved. So, at this time, investigators are unable to definitively say exactly whose information has been compromised, or what that compromised data contained.

What does this mean for the future?

Healthcare data will continue to be targeted by bad actors because of its value. As indicated earlier in the month of February, 28.2 percent of all healthcare breaches came from third-party vendors. To illuminate this statistic, another report stated that at least 30 percent of all breaches reported back to Health and Human Services’ (HHS) public breach tool are traced back to third-party vendors. A third-party breach is generally not caused by some hooded lone wolf hacker you see dramatized on TV shows—these breaches may be the fault of the business associates that you entrust, who unwittingly allow these hooded malicious actors to take advantage of their access. So, yes the data states that we are at a four-year low when it comes to breaches in the healthcare industry; however, this does not mean we should be any less diligent protecting sensitive information by taking steps to secure third-party remote access. In a survey conducted with over 600 CISOs, 42 percent of them say that a third-party data breach is one of their top concerns for 2018. Many CISOs are aware of the possibility of a breach, but there are steps that should be taken in order to safeguard sensitive information within the healthcare industry via remote support. This is especially crucial since healthcare data contains so much more PII than just a simple credit card number.

Predictions

Though data suggests that healthcare breaches are at a four-year low, a significant number of breaches have already occurred in 2018. A new study even suggests that bad actors will begin to go for smaller healthcare providers. From this, a suggested trend for 2018 is that bad actors may switch their attention to focus more on smaller healthcare providers, but this does not mean that the bigger guys are any safer than before. In fact, according to the Ponemon Institute, 41 percent of healthcare organizations say third parties cause breaches and 52 percent of business associates blame third-party difficulties. Although it is early into 2018, it is obvious that healthcare data breaches via bad actors will continue to be a trend in 2018. Third-party breaches come in many shapes and forms, as detailed above with the two different breaches—but there are ways to better safeguard this important data. A recent study stated that 59 percent of CISO’s believe that private information and data is near impossible to keep out of the hands of unauthorized access, however, there are solutions available for more secure remote access.

Taking preventive steps

Hindsight is always 20/20—but it is far more responsible to take proactive steps to protect your company and your clients’ sensitive data by being proactive and safeguarding your network from those bad actors who could exploit a business associate’s remote access. Think about it: there is a reason we have passwords for our phones, laptops, and emails. The information inside of all of these things is important, sensitive, and personal. If you wouldn’t share your passwords for these devices, why are you effectively sharing credentials with your third-party business associates and allowing access to even more sensitive information? Without the right secure remote connection, software, and solutions it may seem near impossible to keep PII protected from bad actors. However, peace of mind via a secure remote access is possible in the healthcare industry. Imprivata is a pioneer and leader in third-party secure remote access. Do not allow third-party business associates access to more information than they need to have—that way, you are able to proactively protect both your company and your clients.