07 Dec 2012

Healthcare Under Cyber-Attack: 94% of Hospitals Breached


Almost nine hospitals in 10 have suffered at least one data breach, according to a study commissioned by ID Experts. The same report says these breaches cost healthcare organization an estimated $7 billion per year.

These incidents are not isolated, as about 45% of victim institutions have been breached more than five times over the last two years, excluding any unreported breaches. These breaches affect both the institutions and patients. The study reveals 52% of these snafus included loss of medical identity, inaccurate or incomplete patient medical records or administration of improper medical treatment.

It appears that the most common cause of data breaches is not malicious activity, but rather poor implementation of BYOD policies: as more and more medical staff bring their own devices to work, they use them to store patient data. In the event these personal devices get lost or stolen, patient data lands into the wrong hands, resulting in both patient exposure and loss of important medical history.

Employee errors account for 42 percent of the breaches, while breaches caused by third-party outsourcers also account for 42 percent. Direct attacks against the organization’s infrastructure accounts for 33 percent of the issues.

"Healthcare organizations face many challenges in their efforts to reduce data breaches," said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. "This is due in part to the recent explosion of employee-owned mobile devices in the workplace and the use of cloud computing services. In fact, many organizations admit they are not confident they can make certain these devices are secure and that patient data in the cloud is properly protected. Overall, most organizations surveyed say they have insufficient resources to prevent and detect data breaches."

Healthcare and military are two critical industries increasingly targeted by cyber-criminals. The importance of every data leak makes it mandatory for CIOs and IT departments to plan disaster recovery in advance. Also, employee devices that carry patient data should be equipped with an antitheft solution designed for mobile solutions.