Managing Vulnerabilities and Risks in the Healthcare Sector

Blog

The healthcare industry processes a large volume of sensitive personal data of billions of people worldwide. A security breach therefore has significant financial, personal and organizational consequences. It is therefore hardly surprising that the cost of data breach in healthcare organizations more than double the average cost in other sectors. According to the 2017 Cost of Data Breach Study, healthcare organizations had an average cost of $380 for each lost or stolen record . This is compared to the average global cost of data breach being $141.

In 2017, there were numerous reports of security breaches in the USA and other countries. There are several factors that contribute to these security breaches such as inadequate security and compliance measures, user vulnerabilities, and according to the HIPAA Journal, the failure to conduct an enterprise-wide risk analysis .

Table 1: Top healthcare data breaches in the USA - 2017

Healthcare Provider # of records compromised Cause
Commonwealth Health Corporation 697,800 Theft
Airway Oxygen, Inc. 500,000 Hacking/IT Incident
Women’s Health Care Group of PA, LLC 300,000 Hacking/IT Incident
Urology Austin, PLLC 279,663 Hacking/IT Incident
Pacific Alliance Medical Center 266,123 Hacking/IT Incident

Source: HIPAA Journal

5 of the most significant breaches in the USA, in terms of the number of records compromised, are summarized in Table 1. These breaches were caused by insider threats, theft and ransomware attacks.

In March 2017, Commonwealth Health Corporation reported that a breach affected 697,800 individuals. The breach was largely attributed to the theft of loss of encrypted devices.

In April 2017, a ransomware attack on Airway Oxygen Inc., resulted in the protected health information of 500,000 individuals being likely compromised by the attackers. Other ransomware attacks were reported by other health care providers such as Arkansas Oral Facial Surgery Center which resulted in 128,000 patient records being compromised.

The Women’s Health Care Group reported that 300,000 patient health information were compromised because of a ransomware attack. A statement posted on its website said that the clinic discovered that a server and workstation at one of its offices had been “infected by a virus designed to block access to system files”.

Urology Austin, PLLC was a victim of a ransomware attack in January 2017. Close to 300,000 patient records were likely compromised. A statement similar to Women’s Health Corp was issued at the time.

Over 260,000 patients were impacted when Pacific Alliance Medical Center experienced a ransomware attack in June 2017.At that time, the Center discovered that its servers were compromised and files encrypted without authorization.

In addition to the examples from the USA, on July 2017 Bupa, a London-based private healthcare group suffered a breach that affected 500,000 customers on its international health insurance plan. It was reported that a Bupa employee inappropriately copied and removed information including names, dates of birth and some contact information from its network .

The above incidents highlight that ransomware attacks are becoming even more pervasive and other sources of threats remain insidious. These current events further reinforce that no institution is immune to these types of threat. As a result, it is important that the healthcare entities become more responsive to industry compliance requirements and security defense strategies.

Wilson Consulting Group (WCG) provides a comprehensive suite of services that are aimed at minimizing vulnerabilities and risks in healthcare institutions. These services will enable an institution to become more compliant with industry standards and improve its security posture. WCG provides:

Make the step today towards safeguarding sensitive patient records. WCG stands ready to assist you in improving your security posture.