Tag Archives: Health care records security

Michigan State University study: Healthcare providers — not hackers — leak more of your data

22 Nov

Lucas Mearian reported in Hackers are coming for your healthcare records — here’s why:

Data stolen from a bank quickly becomes useless once the breach is discovered and passcodes are changed. But data from the healthcare industry, which includes both personal identities and medical histories, can live a lifetime.
Cyberattacks will cost hospitals more than $305 billion over the next five years and one in 13 patients will have their data compromised by a hack, according to industry consultancy Accenture….
The Brookings research demonstrates that the healthcare sector is uniquely vulnerable to privacy breaches. For one thing, government regulations forced healthcare operations to adopt electronic health records (EHR) and other advances under the Patient Protection and Affordable Care Act (Obamacare) even if they weren’t ready to adequately invest in security.
Healthcare records also contain the most valuable information available, including Social Security numbers, home addresses and patient health histories — making them more valuable to hackers than other types of data, according to the study by the Brookings Institution’s Center for Technology Innovation. Since cybercriminals can sell data for a premium on the black market, hackers have a big incentive to focus their attacks on the healthcare industry.
With the push toward more integrated care, “medical data are now being shared with many different types of entities in which many employees have access to patient records,” the study said. “Extended access to medical records increases the potential for privacy breaches.”
To comply with legal requirements, healthcare organizations often store detailed medical information for many years. The probability of a breach — and the potential severity of the consequences — increases according to the amount of data stored and the length of time it is stored….
The greatest threat to the healthcare industry today, Safavi said, is not from one-off hackers seeking quick paydays, but from foreign governments that can store intimate personal health data for future use against individuals.
For example, hackers last year stole the records of about 80 million customers of Anthem Inc., the second largest U.S. health insurer.
“The presumption was that they were state actors,” Safavi said. “The purpose of the state actor was to harvest the database in order to create a dossier of individuals that they could use for social engineering for future attacks….” https://www.computerworld.com/article/3090566/healthcare-it/hackers-are-coming-for-your-healthcare-records-heres-why.html

A Michigan State University study highlighted the risks of inadequate security by medical providers against hackers.

Science Daily reported in Healthcare providers — not hackers — leak more of your data:

Your personal identity may fall at the mercy of sophisticated hackers on many websites, but when it comes to health data breaches, hospitals, doctors offices and even insurance companies are oftentimes the culprits.
New research from Michigan State University and Johns Hopkins University found that more than half of the recent personal health information, or PHI, data breaches were because of internal issues with medical providers — not because of hackers or external parties.
“There’s no perfect way to store information, but more than half of the cases we reviewed were not triggered by external factors — but rather by internal negligence,” said John (Xuefeng) Jiang, lead author and associate professor of accounting and information systems at MSU’s Eli Broad College of Business.
The research, published in JAMA Internal Medicine, follows the joint 2017 study that showed the magnitude of hospital data breaches in the United States. The research revealed nearly 1,800 occurrences of large data breaches in patient information over a seven years, with 33 hospitals experiencing more than one substantial breach.
For this paper, Jiang and co-author Ge Bai, associate professor at the John’s Hopkins Carey Business School, dove deeper to identify triggers of the PHI data breaches. They reviewed nearly 1,150 cases between October 2009 and December 2017 that affected more than 164 million patients.
“Every time a hospital has some sort of a data breach, they need to report it to the Department of Health and Human Services and classify what they believe is the cause,” Jiang, the Plante Moran Faculty Fellow, said. “These causes fell into six categories: theft, unauthorized access, hacking or an IT incident, loss, improper disposal or ‘other.'”
After reviewing detailed reports, assessing notes and reclassifying cases with specific benchmarks, Jiang and Bai found that 53 percent were the result of internal factors in healthcare entities.
“One quarter of all the cases were caused by unauthorized access or disclosure — more than twice the amount that were caused by external hackers,” Jiang said. “This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”
While some of the errors seem to be common sense, Jiang said that the big mistakes can lead to even bigger accidents and that seemingly innocuous errors can compromise patients’ personal data….” https://www.sciencedaily.com/releases/2018/11/181120073655.htm

Citation:

Healthcare providers — not hackers — leak more of your data
Date: November 20, 2018
Source: Michigan State University
Summary:
New research found that more than half of the recent personal health information, or PHI, data breaches were because of internal issues with medical providers — not because of hackers or external parties.

Here is the press release from Michigan State:
Published: Nov. 16, 2018

HEALTH CARE PROVIDERS – NOT HACKERS – LEAK MORE OF YOUR DATA
Contact(s): Caroline Brooks , Xuefeng Jiang

Your personal identity may fall at the mercy of sophisticated hackers on many websites, but when it comes to health data breaches, hospitals, doctors offices and even insurance companies are oftentimes the culprits.
New research from Michigan State University and Johns Hopkins University found that more than half of the recent personal health information, or PHI, data breaches were because of internal issues with medical providers – not because of hackers or external parties.
“There’s no perfect way to store information, but more than half of the cases we reviewed were not triggered by external factors – but rather by internal negligence,” said John (Xuefeng) Jiang, lead author and associate professor of accounting and information systems at MSU’s Eli Broad College of Business.
The research, published in JAMA Internal Medicine, follows the joint 2017 study that showed the magnitude of hospital data breaches in the United States. The research revealed nearly 1,800 occurrences of large data breaches in patient information over seven years, with 33 hospitals experiencing more than one substantial breach.
For this paper, Jiang and co-author Ge Bai, associate professor at the Johns Hopkins Carey Business School, dove deeper to identify triggers of the PHI data breaches. They reviewed nearly 1,150 cases between October 2009 and December 2017 that affected more than 164 million patients.
“Every time a hospital has some sort of a data breach, they need to report it to the Department of Health and Human Services and classify what they believe is the cause,” Jiang, the Plante Moran Faculty Fellow, said. “These causes fell into six categories: theft, unauthorized access, hacking or an IT incident, loss, improper disposal or ‘other.’”
After reviewing detailed reports, assessing notes and reclassifying cases with specific benchmarks, Jiang and Bai found that 53 percent were the result of internal factors in health care entities.
“One quarter of all the cases were caused by unauthorized access or disclosure – more than twice the amount that were caused by external hackers,” Jiang said. “This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”
While some of the errors seem to be common sense, Jiang said that the big mistakes can lead to even bigger accidents and that seemingly innocuous errors can compromise patients’ personal data.
“Hospitals, doctors offices, insurance companies, small physician offices and even pharmacies are making these kinds of errors and putting patients at risk,” Jiang said.
Of the external breaches, theft accounted for 33 percent with hacking credited for just 12 percent.
Some data breaches might result in minor consequences, such as obtaining the phone numbers of patients, but others can have much more invasive effects. For example, when Anthem, Inc. suffered a data breach in 2015, 37.5 million records were compromised. Many of the victims were not notified immediately, so weren’t aware of the situation until they went to file their taxes only to discover that a third-party fraudulently filed them with the data they obtained from Anthem.
While tight software and hardware security can protect from theft and hackers, Jiang and Bai suggest health care providers adopt internal policies and procedures that can tighten processes and prevent internal parties from leaking PHI by following a set of simple protocols. The procedures to mitigate PHI breaches related to storage include transitioning from paper to digital medical records, safe storage, moving to non-mobile policies for patient-protected information and implementing encryption. Procedures related to PHI communication include mandatory verification of mailing recipients, following a “copy vs. blind copy” protocol (bcc vs cc) as well as encryption of content.
“Not putting on the whole armor opened health care entities to enemy’s attacks,” Bai said. “The good news is that the armor is not hard to put on if simple protocols are followed.”
Next, Jiang and Bai plan to look even more closely at the kind of data that is hacked from external sources to learn what exactly digital thieves hope to steal from patient data. https://msutoday.msu.edu/news/2018/health-care-providers-not-hackers-leak-more-of-your-data/

Protecting vital information from hackers of all types is constantly chasing a moving target.

Medical providers range from small offices to large institutions and university departments. Wendy Zamora wrote in 10 ways to protect against hackers:

What can you do to protect it against cybercriminals? Instead of sitting back and waiting to get infected, why not arm yourself and fight back?
Bad guys, beware. We’ve got 10 ways to beat you.
1. Update your OS and other software frequently, if not automatically. This keeps hackers from accessing your computer through vulnerabilities in outdated programs (which can be exploited by malware). For extra protection, enable Microsoft product updates so that the Office Suite will be updated at the same time. Consider retiring particularly susceptible software such as Java or Flash, especially as many sites and services continue to move away from them.
2. Download up-to-date security programs, including anti-malware software with multiple technologies for protecting against spyware, ransomware, and exploits, as well as a firewall, if your OS didn’t come pre-packaged with it. (You’ll want to check if your OS has both firewall and antivirus built in and enabled by default, and whether those programs are compatible with additional cybersecurity software.)
3. Destroy all traces of your personal info on hardware you plan on selling. Consider using d-ban to erase your hard drive. For those looking to pillage your recycled devices, this makes information much more difficult to recover. If the information you’d like to protect is critical enough, removing the platters where the information is stored then destroying them is the way to go.
4. Do not use open Wi-Fi on your router; it makes it too easy for threat actors to steal your connection and download illegal files. Protect your Wi-Fi with an encrypted password, and consider refreshing your equipment every few years. Some routers have vulnerabilities that are never patched. Newer routers allow you to provide guests with segregated wireless access. Plus, they make frequent password changes easier.
5. Speaking of passwords: password protect all of your devices, including your desktop, laptop, phone, smartwatch, tablet, camera, lawnmower…you get the idea. The ubiquity of mobile devices makes them especially vulnerable. Lock your phone and make the timeout fairly short. Use fingerprint lock for the iPhone and passkey or swipe for Android. “It’s easy to forget that mobile devices are essentially small computers that just happen to fit in your pocket and can be used as a phone,” says Jean-Philippe Taggart, Senior Security Researcher at Malwarebytes. “Your mobile device contains a veritable treasure trove of personal information and, once unlocked, can lead to devastating consequences.”
6. Sensing a pattern here? Create difficult passwords, and never use the same ones across multiple services. If that’s as painful as a stake to a vampire’s heart, use a password manager like LastPass or 1Password. For extra hacker protection, ask about two-step authentication. Several services have only recently started to offer 2FA, and they require the user to initiate the process. Trust us, the extra friction is worth it. Two-factor authentication makes taking over an account that much more difficult, and on the flip side, much easier to reclaim should the worst happen.
7. Come up with creative answers for your security questions. People can now figure out your mother’s maiden name or where you graduated from high school with a simple Google search. Consider answering like a crazy person. If Bank of America asks, “What was the name of your first boyfriend/girlfriend?” reply, “Your mom.” Just don’t forget that’s how you answered when they ask you again.
8. Practice smart emailing. Phishing campaigns still exist, but cybercriminals have become much cleverer than that Nigerian prince who needs your money. Hover over links to see their actual URLs (as opposed to just seeing words in hyperlink text). Also, check to see if the email is really from the person or company claiming to have sent it. If you’re not sure, pay attention to awkward sentence construction and formatting. If something still seems fishy, do a quick search on the Internet for the subject line. Others may have been scammed and posted about it online.
9. Some websites will ask you to sign in with a specific service to access features or post a comment. Ensure the login option isn’t a sneaky phish, and if you’re giving permission to an app to perform a task, ensure you know how to revoke access once you no longer need it. Old, abandoned connections from service to service are an easy way to see your main account compromised by spam.
10. Keep sensitive data off the cloud. “No matter which way you cut it, data stored on the cloud doesn’t belong to you,” says Taggart. “There are very few cloud storage solutions that offer encryption for ‘data at rest.’ Use the cloud accordingly. If it’s important, don’t.”
Honorable mentions: Alarmist webpages announcing that there are “critical errors” on your computer are lies. Microsoft will never contact you in person to remove threats. These messages come from scammers, and if you allow them to remotely connect to your computer, they could try to steal your information and your money. If that’s not a Nightmare on Elm Street, then we don’t know what is. https://blog.malwarebytes.com/101/2015/10/10-ways-to-protect-against-hackers/

Hacking of medical records is cyber warfare and the best defense is a good offense.

Where information leads to Hope. © Dr. Wilda.com

Dr. Wilda says this about that ©

Blogs by Dr. Wilda:
C

OMMENTS FROM AN OLD FART©
http://drwildaoldfart.wordpress.com/

Dr. Wilda Reviews ©
http://drwildareviews.wordpress.com/

Dr. Wilda ©
https://drwilda.com/