Viewing entries in
Healthcare

Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record

According to a new study from IBM Security and the Ponemon Institute, the cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year. 

For the eighth year in a row, healthcare organizations had the highest costs associated with data breaches. The next highest industry was financial services with an average of $206 per lost or stolen record - half of what it cost the healthcare industry. The cost for healthcare organizations is also nearly three times higher than the cross-industry average of $148 per lost or stolen record.

How Long Does It Take to Breach a Healthcare Network?

A recent survey of hackers, incident responders, and penetration testers revealed that the majority can gain access to a targeted system within 15 hours, but more than half of hackers (54%) take less than five hours to gain access to a system, and steal sensitive data. 

The data comes from the 2018 Nuix Black Report and its survey of 112 hackers and penetration testers, 79% of which were based in the United States.

Forget Credit Cards, Hackers Want Your Medical Record

When considering our online privacy and security, we often hold our financial records, bank accounts, and credit card numbers in the highest regard. After all, if a hacker gets this information, they have ‘the keys to the kingdom', right? It might be surprising to learn that the black market value of this data is actually surprisingly low. 

The going rate for your social security number is about a dollar. Your credit card number is worth five dollars. A complete medical record, on the other hand, can sell for more than $1,000 on the Dark Web.

Over 1M Patients Affected by Healthcare Breaches in Q1 of 2018

According to a new report by the HIPAA Journal, the first three months of 2018 have seen 77 healthcare data breaches. The breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), have impacted more than one million patients and and health plan members.

This number is twice the number of individuals impacted by healthcare data breaches in Q4 of 2017. Between January 1 and March 31, 2018, 1,073,766 individuals had their Patient Health Information (PHI) exposed, viewed, or stolen compared to 520,141 individuals in Q4, 2017.

Insider threats are healthcare's biggest risk

According to the latest Verizon Data Breach Investigations Report, the insider threat remains the greatest threat to healthcare providers

Healthcare is the only industry, across nine surveyed, in which internal actors are the biggest threat to an organization. Human error remains a major contributor to healthcare risks.

Nearly 58% of the sector’s breaches were caused by internal threat actors, while 42% were caused by external risks. 

Top 5 Security Risk Analysis Myths & Facts

Conducting a security risk analysis is a required measure for all HIPAA covered entities. Eligible professionals must conduct or review a security risk analysis for each reporting period to ensure the privacy and security of their patients’ protected health information. 

The latest HIPAA Audit Program results found that 83% of covered entities failed to perform an adequate SRA. Additionally, 94% failed to establish or maintain an information security risk management plan. Failure to perform a risk assessment or conducting an insufficient risk assessment is the leading cause of failing a HIPAA audit. 

Indiana Health System Pays $47,000 Ransom to Unlock Patient Data

Indiana hospital system, Hancock Health, said it paid hackers 4 bitcoin, or about $47,000, to unlock it’s network after a ransomware attack on January 11, 2018.

Hackers compromised a third-party vendor’s administrative account to the hospital’s remote-access portal and launched SamSam ransomware, a ransomware variant which encrypts data files on the systems and uses a private key to unlock them. It quickly infected the hospital’s IT system by locking out data and changing the names of more than 1,400 files to "I'm sorry."

21st Century Oncology to pay $2.3M HIPAA settlement for 2015 data breach

21st Century Oncology has agreed to pay a $2.3 million fine to the Department of Health and Human Services for a 2015 data breach that impacted more than 2.2 million patients.

According to court documents, the national cancer care provider headquartered in Fort Myers, Florida, has also agreed to class action lawsuits filed in 2016. 21st Century Oncology operates 179 treatment centers across 17 states.

The breach of the company's network SQL database and theft of the medical data and Social Security numbers of millions of patients is believed to have occurred as early as October 3, 2015. 

28,434 compromised records and the importance of addressing the insider threat.

The Center For Health Care Services, based in San Antonio, Texas, has notified 28,434 patients of a breach of privacy on their personal and health information. The data was allegedly stolen when a former employee took the information after being fired in 2016.

The compromised data includes patients' Social Security numbers, dates of birth, medical records numbers, dates of services, referral information, progress notes, types of services, diagnoses, medications, lab and toxicology reports, autopsy reports, death certificates, treatment plans and discharge and death summaries.

According to the released statement:  "A former employee of CHCS was discovered to have secretly taken personal health information from CHCS on his personal laptop computer at the time his employment was terminated on May 31, 2016. The discovery was made on Nov. 7, 2017, as a result of documents produced in litigation between the former employee and CHCS."