The data breach phenomenon has been plaguing the US healthcare sector for more than a decade, with a 2,733% increase between 2009 and 2019, according to a PrivacyAffairs study.
Through analysis of reported healthcare data breaches over the past decade, researchers have revealed some alarming statistics:
• 3,054 data breaches were disclosed between 2009-2019
• 230,954,151 healthcare records have been lost, stolen or exposed
• Healthcare data breaches have impacted 70% of US citizens
Although the causes of healthcare data breaches range from human negligence to geopolitical cyberattacks, more often than not, stolen healthcare records end up for sale on underground marketplaces.
According to the study, 2015 was the worst year in the past decade in terms of the number of healthcare records.
“This is primarily due to the Anthem Inc. data breach that exposed personally identifiable medical records of 28.8 million people,” the paper reads. “2018 and 2019 saw a sharp increase in the number of individuals affected by healthcare data breaches, with a six-fold increase between 2017 and 2019.”
Hacking was the main cause of all the most significant attacks, including the Anthem Inc. breach that affected 78.8 million individuals.
When it comes to the highest number of reported healthcare data breaches, 2019 saw 303 reports, compared to 423 reports disclosed between 2016 and 2018.
Researchers also noted that human negligence plays an important role in the exposure of personal health information (PHI), with many incidents occurring due to the theft of an unencrypted and unsupervised device, such as a personal computer. Improper disposal of PHI has also been responsible for leaking over 1 million patient records, the study shows.
“When data is no longer needed, it must be carefully disposed of,” researchers warned. “Old hard drives must be fully sanitized, rather than simply wiped. Where personal data is concerned, complete destruction of storage devices is recommended.”
Cybercriminals often target medical records and data due to the variety and sensitive nature of information held by healthcare organizations. Although healthcare providers have regularly invested in cybersecurity programs, many still use outdated systems and poorly secured devices that leave them extremely vulnerable to cyberattacks.
“Hospital IT teams are often so busy with simply keeping systems and databases working correctly that data security becomes a lower priority,” researchers said. “This means that known vulnerabilities are often left unpatched and systems not updated.”The number of interconnected IoT devices within hospitals also make for a suitable entry point for attackers who wish to gain access to a healthcare providers’ network.
Medical devices don’t usually come with built-in security measures, and IT teams are not necessarily equipped with the human resources needed to handle their maintenance. With most medical IoT devices left unsecured, attackers can easily exploit them, gaining access to critical internal systems.