March 2017 saw a 1.5 million spike in lost or stolen medical records

Protenus, a company who protect patient privacy in the U.S., compiles a monthly report on data breaches called the Protenus Breach Barometer (PBR) using data provided by DataBreaches.net. It analyses all breaches reported to the Department of Health and Human Services (HSS) in the U.S or to the media in 2017.

Looking at breaches that compromised healthcare records for the past few months in 2017, January and February seemed relatively quiet with 388,000 and 200,000 patient records respectively. However, when compared to the massive spike of 1,519,521 compromised patient records in March, it makes the previous figures look insignificant.

The spike in compromised records unsurprisingly came from an increased number of breach incidents. January and February had 31 breaches whereas March saw 39. What was surprising was that 44% of the data breach incidents were internal. This could be harmless administrative errors or malicious insider attacks. Needless to say, healthcare organisations not only need to protect the data they hold from 3^rd party attacks like hackers, but they also need to make sure it is secure enough so that employees can’t trip up and cause a breach.

In a recent study published by the Journal of American Medical Association, they found that healthcare providers are increasingly easy targets for hackers. The study, headed by Assistant Professor Ge Bai, found that the larger the healthcare provider or teaching hospital, the more data breaches. In the study, the researchers compared hospitals with breaches against hospitals who had not been breached between 2009 and 2016. They found that the average number of beds a breached hospital had was 262, whereas their breach-free counterparts were at almost half the size with only 134 beds.

The healthcare industry has the highest percentage of data breaches

Healthcare providers are holding onto their spotlight as the ones with the highest percentage of data breaches. This March, they were responsible for 84.6% of breaches.

Although this isn’t a great improvement from the previous months (February held 77%), researchers are concerned with the shift in where the breaches came from. In March, only 3% of patient records were due to a third party. In an industry where doctors and physicians need to access patients records immediately as a matter of life and death, internal security is probably not at its highest. This compromise of easy access and security is a risky balance healthcare providers are playing with. Without necessary security measures, administrative errors are easily caused with significant consequences.

In the past year or so, there has also been the trend of data ransoming. With large databases of sensitive patient information, healthcare providers are a clear target for hackers and fraudsters. Hospitals and other healthcare providers may be in need of a security overhaul to protect patient’s information and their lives.

Some improvements

On a lighter note, the PBR reported an improvement with the time it took for healthcare organisations to report data breaches to the HSS. Although, probably due to extreme cases, the average time it took for incidents to be reported in February was 47 days. In March, they saw a drastic reduction with an average of only 45 days. The HHS usually requires that data breaches are reported to them within 60 days.

In a modern world where we all need access to information quickly, security measures seem to always be a step behind. New apps and portals for easy and fast information access makes it easy for users to accidentally breach data. Hackers and other malicious third parties are following this trend to their advantage. Why go to the trouble of planning and carrying out a robbery in a secure facility when you can hack a company’s unsecure database and ransom the important and sensitive information with a few clicks from the comfort of your own home?

Three’s latest data breach

Police officers have “unprecedented access” to millions of records