More and more data breaches targeting hospitals : how weak is healthcare IT security ?

Data breaches endured by hospitals and healthcare organisms have been buzzing all around the world in the last weeks and months. In the United States, the Hollywood Presbyterian center was ransomed 17 000 dollars in order to gain back access and control to its IT system in February. At the same time, the Einstein healthcare network in Pennsylvania and the Florida Department of Health, among many others, recently reported possible data breaches due to unsecured data bases. These affected several thousands of individuals by disclosing patient data outside the admitted boundaries of the IT systems of the two healthcare organisms.

The United States are, of course, not the only ones concerned and the threat isn’t always from outside nor intentional. In the UK, the Bloomsbury Patient Network disclosed and 56 Dean Street, two HIV support organisms, accidently disclosed several times the identities of hundreds of HIV positive individuals by badly managed email campaigns in 2014 and 2015.

Why are healthcare data more and more theatened by hackings and fraud ?

In 2015, hackers compromised almost a hundred million healthcare records, affecting nearly 30% of Americans. If retail hackings have diminished, they have been soaring in the healthcare sector going from 7.8 million data compromised 2 years ago to almost 100 million in 2016.

But why ? The explanation is very simple : a patient record is now sold at an average of 200 dollars on the Dark web, much higher than credit card details or other personal information found, for example in the retail sector. Knowing this, it is not difficult to understand why hackers and internal fraudsters are turning towards hospitals and healthcare organisms.

These organisms all around the world are in general very unprepared to cyber attacks and frauds, whether intentional or accidental. A large number of hospitals, clinics, associations and administrations fear any significant data breach for they would not be able to offer proper resistance even if they do host and manage very sensitive data such as medical exam results, patient records and personal information.

A legal European void : defining medical data is now a priority to enforce their protection

We need to enforce the protection of healthcare data very fast as to keep up with the rising interest and attacks of hackers targeting this sector. But, a significant obstacle stands in the way, at least within the European Union : the lack of any legal definition and enforcement of what are “health” or “medical” data and how to protect them.

The issue becomes even more complex when we take into account all the actors, not just the hospitals, associations and administrations but also their subcontractors and partners. As of today, nothing enables a hospital to pressure its subcontractor, for example in charge of the RIM scanners, to set up a proper data protection system on their side. But they do manage and host very sensitive data ! For now, one of the only ways to try and establish a better equilibrium on data management and enforce security is through the definition of the contract but it remains quite limited.

The General Data Protection Regulation (GDPR) should reinforce data protection for all by thoughening the regulation but the healthcare sector seems very far behind today. The regulation appears still very vague on this topic and the hopes are as high as the fear of being hacked is growing among healthcare actors. The United States have not yet taking any general and visible action either on strenghtening healthcare data protection.

Meanwhile, threats are growing and there is a real need for strong and agile data governance and protection solutions. Any idea ?