Heathcare Suffers Majority Of Data Breaches

A survey of American organisations found that, like in the UK, the healthcare industry suffers the most data breaches.

A total of 113 healthcare facilities have been hit with data breaches in 2010, compared with only 39 banking/finance firms, according to a July 28 report by the Identity Theft Resource Center.

Hospitals are vulnerable to insider data breaches with the multitude of doctors, nurses, lab technicians, janitors and food service personnel circulating throughout the facility, according to Jay Foley, executive director of the ITRC.

Internal Threat

In one incident reported by the ITRC, a former UCSF (University of California, San Francisco) Medical Center employee used fellow workers’ Social Security numbers to fill out health surveys that won him hundreds of $100 (£63) vouchers for an Amazon.com shopping spree. The former employee pleaded guilty to wire fraud in federal court.

In another case cited in the ITRC report, the Colorado Department of Health Care Policy & Financing notified 105,470 clients receiving state-provided health insurance that a hard drive had been stolen containing their state ID numbers.

The organisation obtained its information on the healthcare data breaches from the US Department of Health and Human Services, Foley told eWEEK. To qualify as a breach, the data had to include financial account information, as well as driver’s license and Social Security numbers, he explained.

Meanwhile, BridgeHead Software, a storage-virtualisation firm, reported in its International 2010 Data Management Healthcheck survey that 69 percent of healthcare organisations expect their volume of stored data to increase this year. However, by comparison, only 44 percent of hospitals surveyed planned to make disaster recovery a top IT spending priority.

Frank Kenney, vice president of global strategy at Ipswitch, noted that health care facilities are not complying with HIPAA (Health Insurance Portability and Accountability Act) and regional government regulations on data privacy. Even signing your name in at the front desk in a doctor’s office for all to see is a breach of HIPAA regulations, according to Kenney.

Having a nurse encrypt your signature digitally would be better, he said.

Kenney told eWEEK that full compliance and visibility as well as avoiding storage of personal medical data on flash drives and CD burners are essential measures to averting data breaches.

As Verizon reported in its 2010 Data Breach Investigations Report, in collaboration with the US Secret Service, 48 percent of data breaches across all industries were caused by insiders. “There’s a fairly significant amount of breaches coming from insiders who have access to the data,” Kenney said.

One heavily publicised example occurred in 2008 when the UCLA Medical Center fired employees for selling the health records of Britney Spears and Farrah Fawcett to the National Enquirer.

Most hospitals are focused on preventing unauthorised access by outsiders, using firewalls, rather than preventing intrusion by insiders, said Phil Neray, vice president of security strategy for IBM’s Guardium security platform, which analyses transactions in databases for suspicious activity. “Firewalls have been insufficient in preventing unauthorised access by insiders,” he told eWEEK.

Financial Security

With double the amount of data breaches for healthcare facilities (108) compared with banking/finance firms (39), the financial institutions are more equipped to monitor database activity than healthcare companies, according to IBM’s Neray. “All of the major banks have implemented this technology, but very few hospitals have,” he said.

Neray noted that the health information exchanges outlined under federal meaningful use guidelines of electronic medical records will centralise data in big data warehouses, thereby increasing the risk for data breaches.

The web is a vulnerable spot as far as data breaches, noted Michael Maloof, CTO of TriGeo Network Security, which makes the TriGeo Security Information Management device. “Going through the [ITRC] report, I did see a number of cases that referred generically to server breach. The vast majority of these are from client-based breaches based from the web,” he told eWEEK.

If a breach does occur, ITRC’s Foley said it’s important to take a snapshot of your system to provide to law enforcement. “No matter who you had in your organisation, there will always be some thief to create grief and havoc for you,” he said.