What is the most common cause of healthcare data breaches?

Patient’s medical records are a goldmine for malicious hackers—if they can get their hands on them. According to Cisco Internet Security Threat Report, healthcare is currently the most targeted industry by cybercriminals.

Health data breaches have been on the headlines for a while now. From the crippling breach of Anthem to the compromising of 10 million patient records at UCLA Health — nothing is sacred when it comes to cyberattacks these days. While the impact of security incidents might differ depending on their magnitude, it seems that poorly protected IT systems and hacking/IT incidents are often the biggest culprits in causing privacy and financial setbacks.

Healthcare data breaches are on the rise. Although many are concerned with hacking, several factors could potentially cause a significant healthcare data breach.

Common causes of healthcare data breaches!

Data breaches are becoming more and more common. With the rise of hacking, phishing, malware attacks, and new security regulations, all healthcare organizations need to stay proactive in protecting their data.

The most common cause of data breaches for healthcare organizations is malicious or cyber-criminal attacks. Data breaches can come from various sources, including hackers stealing protected health information (PHI) from an organization’s database, unencrypted devices, or a weak, stolen password. One of the biggest causes of healthcare data breaches is misconfigured medical devices and office equipment. Medical device security remains a major concern for organizations. Click here to know how do breaches happen and how to prevent them?

Hacking/ IT Incidents accounts for 47% of healthcare data breaches making it the #1 cause of healthcare data breaches.
(Source: Electronic Health Reporter)

Patient Data Theft: High risk
Health care industry members are all too familiar with data theft and new methods of exfiltrating information from connected medical devices such as electronic medical records (EMRs) and protected health information (PHIs). IP-enabled medical devices can be easily exploited by experienced hackers because of minimal access controls and known vulnerabilities. A hacker may then take data directly from the medical device, but since medical devices typically contain limited data, he is more likely to go to servers, data centers, or other devices on the network, like the XP workstation that is connected to the electronic medical record. Data breaches in healthcare are defined as theft and loss 32% of the time, compared to only 15% in different industries, 2^nd to Hacking and IT incidents, as per Healthcare drive. With the number of high-profile breaches in healthcare over the past three years, healthcare organizations need tighter controls to mitigate this risk.

What is the cost to your company?

According to IBM’s Cost of Data Breach Report 2021:

• Healthcare organizations spent an average of $161 per breached record in 2021, which is expected to increase in the future.
• On average, it takes 329 days to identify a breach.

The reports show that the cost of data breaches has risen once again, reaching a record high since IBM first published the report 17 years ago. The average cost of a data breach increased by 10% year over year, to $4.24 million per incident and that of healthcare data breaches increased by $2 million to $9.42 million per incident in 2021. The average cost of ransomware attacks was $4.62 million per incident.

How can you avoid a data breach?

• Back up data– Having a proper backup schedule and implementing a secure process to access the off-site data is a preliminary requirement. Confirm that your backup/recovery partner is also HIPAA compliant. Cloud hosting solutions can also be considered for better security.
• Two factor authentication- Multi-factor authentication, also known as 2FA, is a simple concept that can be implemented by companies easily. A key benefit of two-factor verification lies in its very name: it requires two variables to access an account, just as you need two keys to enter a house. The security is therefore twice as strong.
• Safeguard data and devices- Ensure that the tools and policies for security are implemented, securing all the devices accessing your network. Remote monitoring for unauthorized access and unusual activity can opt. Limit and set proper data control and access for the devices.
• Train and educate staff– create a policy for regular security training and practice sessions. Identifying phishing emails, ensuring password complexity, and adhering to anti-malware protocols should be a part of this training. More details

To wrap things up!

Security and compliance are among the top factors healthcare organizations consider when adopting new technologies. Many organizations didn’t or were not able to take the time to strategically align new cloud-based tools and platforms with existing security standards as they transitioned to remote work after the pandemic.
Security and privacy should be a priority when working with technology partners in healthcare. It is a trusted partner’s responsibility to ensure users’ privacy and security, having incorporated a variety of safeguards into their processes, designs, and code, as well as constructing the infrastructure to ensure careful protection of user information. Cisco, Greenway, GE Healthcare, and Protected Harbor are some of the most trusted and reliable healthcare IT solution providers who take pride in their experience of delivering solutions to healthcare and other organizations.

China eyeing U.S. healthcare data

Do you want your PHI (protected health information) or DNA going to an authoritarian regime that has a history of using DNA for repression and surveillance? People’s Republic of China (PRC) has collected large sets of data from U.S. over the years, through every means possible. Access to American healthcare data now poses a serious risk to the privacy, economy, and national security of the United States.

The Covid-19 outbreak is only one part of the healthcare pandemic the country is suffering. The sudden dent in the healthcare infrastructure left the companies and the government reeling. As COVID rates and testing have requirements spiked, China’s BGI (Beijing Genomics Institute) Group, the world’s largest biotech and healthcare analytics company, proposed to help build and run advanced COVID testing labs throughout the U.S.  BGI would provide technical expertise, high throughput sequencers, and even make financial donations for more research.

With America struggling to set up enough testing and research facilities, China’s proposal was hard to ignore in times of such desperation. That is until the U.S. National Counterintelligence and Security Center raised suspicion and warned against it.
“access to U.S. healthcare and genomic data by China poses serious national security and privacy risk for the United States.” The NCSC said in a statement. Apparently, the Chinese biotech group supplying the COVID-19 testing kits and helping to set up more than 18 research labs also planned on using samples to obtain healthcare data on American citizens, such as DNA and PHI.

China’s access to U.S. healthcare data

The People’s Republic of China (PRC) has been looking to obtain America’s ethnically diverse health data for years. According to National Counterintelligence and Security Center (NCSC), they have been able to gain access to US healthcare data, including genomic data, through a variety of channels, both legal and illegal, including theft of research and cyberattacks.”

#DYK: China has for years accessed U.S. genomic data through legal and illegal means. China’s DNA collection at home has helped it carry out human rights abuses. It’s collection of such data from America poses equally serious risks. See: https://t.co/zR5l1KuZZ8 pic.twitter.com/XCYj3CE0FZ

— NCSC (@NCSCgov) February 19, 2021

According to a report by CFR (Council of Foreign Relations), China already has more data on the genetic sequencing of the US population than the United States has on its own population.
Chinese companies invested in U.S. firms that handle sensitive personal and healthcare data, providing them with easy access to this US Electronic Health Records (EHR). For example, BGI purchased U.S. genomic sequencing company Complete Genomics in 2013, and China’s Wuxi Pharma acquired NextCODE Health in the U.S. and later formed Wuxi NextCODE Genomics.

Recent healthcare data breaches from hackers in China within the PRC government include the theft of personal data and EMRs. Anthem Inc. in 2015 lost healthcare data on roughly 78 million people; information including health identification numbers, names, Social Security numbers, employment, and income information. Two individuals based in China were indicted by the U.S. Justice Department for hacking Anthem and three other U.S. companies, in 2019.

The China Challenge

Bill Evania, a veteran of both the CIA and the FBI, also suspected that offer of help from BGI was a modern-day trojan horse. Using the labs as a way to establish a foothold in the U.S. healthcare market, much like previous corporate acquisitions, and then mining the health data even US Government agencies can’t access. Further, all Chinese companies are obligated to share data collected with the PRC government under the PRC’s national security laws. So any Chinese healthcare company on U.S. soil poses a national security risk.

We have seen the consequences in the past. The U.S. Department of Commerce sanctioned two subsidiaries of China’s BGI in July 2020 over the PRC government’s use of genetic techniques to repress Uyghurs and other Muslim minority groups in Xinjiang.

But how has this happened? China has taken the advantage of the loose safety and security infrastructure protecting our PHI and EMR. Policies need to be revamped concerning the sharing and control of these data at the national and international levels.

China’s BGI has collaborated with many American healthcare and research entities over the past decade, providing them with genomic sequencing services, as well as gaining access to health records and genetic information of U.S. citizens. But to date there are not enough regulations and policies to stop internal employees to share such information with other company employees, who just happen to also work for the Chinese government.

Conclusion and Diagnosis

“We have a short term approach to data management, solve the problem today, but that often leads to larger problems down the road.”                                – Richard Luna, CEO, Protected Harbor

To address the ever-growing surveillance capabilities of China and other authoritarian states, the U.S. and other nations should take bold action instead of timid, gentle steps. To begin with, the government needs to strengthen healthcare privacy legislation and regulation. Enhanced privacy laws would provide protections against only for foreign states, but also from domestic governments and private parties wishing access to protected healthcare data.

National healthcare IT organizations should also increase user safety and privacy, encryption, reporting, auditing, to enhance data transfer and internet openness. Since electronic health records (EHR) are now the norm, every healthcare organization must be sensitive to the intersection of health information, security, and must adhere to HIPAA compliances. HIPAA Security Rule involves many physical safeguards, technological measures, and organizational standards. It applies to technology in three key ways: technologies that store PHI must log out after a certain time to prevent unauthorized access, all users must be assigned unique logins that can be audited, and, PHI must be encrypted.

No healthcare IT department is alone in the battle to protect against illegal or legal healthcare data breaches. Partnering with reliable and secured healthcare IT solution expert such as Protected Harbor can help solve the issues at a grassroots level. With two organizations working together, the healthcare data industry can lay multiple pillars of healthcare data infrastructure to strengthen national security. We cannot accept our information as safe as is, given the scope of data collection on devices and China’s known involvement in this area. There are no checks and balances in the sharing of data. For example, a company allows the vendors access to the billing data to generate reports. But the vendor has access to ALL of the data, not just what’s needed to generate reporting. The IT department and cybersecurity U.S. needs to be heavily vested in the security and safety of data.

The U.S. has spent the last decade creating interoperable healthcare systems and China is now using legitimate interconnected companies to capture data. As a result of the COVID-19 outbreak, different technologies and data have been linked at a faster rate than security measures applied to the data. Millions of Americans have lost their DNA and personal information, allowing China to leverage our health information to develop artificial intelligence and precision medicine, putting America’s $100 billion biotechnology industry at a disadvantage. We need to cut the oxygen and this starts from the ground level moving up the ladder to the national level.