A recent global study conducted by Ponemon and funded by IBM Security shows that, of the 383 participating companies, 91 percent of healthcare organisations in 25 countries have been hit by at least one data breach in the past two years. The total cost of these breaches has been 6.2 billion US dollars (4.6 billion pounds), and an average impact of nearly 2.8 million pounds per breach.
The issue of data breaches in general has decreased by 10 percent in the past year, but the healthcare sector has consistently been the target of 41 percent of data breach incidents.
So what makes the healthcare sector so vulnerable to attack?
The answer to that question is twofold. Primarily, a person's healthcare record is not just personally identifiable information or personal health information. The healthcare record is all of your information in one package. That makes it a valuable target for a data thief.
It is estimated that healthcare records are worth five times more than credit cards, as those can be cancelled. Healthcare data can be used for a variety of purposes, including personal and financial identity theft, insurance fraud and falsifying prescriptions.
But data hacking is not even the most prevalent threat to data in the healthcare sector. Human error and negligence of security protocol play a huge part in making the healthcare sector vulnerable to attack.
An article published by SC Magazine draws attention to the daily work routine of a medical practitioner, which involves constant circumvention of IT safeguards against data breach. Practitioners often share passwords to view patient charts. There was even one reported instance of a hospital technician using a physician's PIN to create false reports for patients.
Standard accepted practises for strong password hygiene are often non-existent. Many IT systems create a password expiry meant to keep hackers from gaining access to sensitive data. But one healthcare employee noted that this practise causes everyone to write down their passwords.
One security measure in place in healthcare is the use of motion sensors. When these sensors are not detecting a presence, they will log out of the computer in order to protect data. Clinicians defeat these proximity sensor timeouts by placing Styrofoam cups over motion detectors. Another timeout prevention method requires the most junior staff member to routinely tap the space bar on each computer. The problem, many clinicians say, sits with IT security staff who do not sufficiently consider the actual workflow of a medical professional.
Because a duality exists in healthcare data breach, it is a battle that must be fought on two fronts, and security resources can do little to stop data breaches from within when employees are actively circumventing protocol to do their jobs effectively.
Data breach is an issue in itself, but the fact that data breaches occur undetected and continue for days, weeks or even years exacerbates the issue. Verizon's 2016 Data Breach Incident Report says that less than one third (31 percent) of data breaches are discovered within days. An additional 31.25 percent of breaches are discovered within months; but what is most alarming is that 18.75 percent, nearly one in five, of the data breaches take at least a year to find. That is over a year that a hacker has had access to a treasure trove of personal and financial information.
Human error is a leading cause of data breach in any industry. People leave laptops in unsecure locations, they respond to and click links in phishing emails, they fail to use caution when disposing of sensitive documents. It is understandable that people make mistakes for a number of reasons; however, two factors make the nature of the healthcare industry a prime target for data thieves: the healthcare record is incredibly valuable, and healthcare professionals disregard security protocol in favor of performing life-saving work.