Healthcare providers found to be the cause of most data breaches in health industry

Photo (c) Davizro - Getty Images

Hackers may not be entirely to blame

Cybersecurity is cause for concern for many consumers, and as several headlines have recently made clear, that’s with good reason. Whether it’s credit card or social security information, ensuring that personal information remains private has become a difficult task.

Medical records are also something many consumers should be paying attention to, as data breaches have become quite commonplace in the health industry. And a new study found that the leaks may not solely be coming from hackers.

Researchers found that many data breaches involving consumers’ healthcare information actually comes from healthcare providers -- not from hackers.

“There’s no perfect way to store information, but more than half of the cases we reviewed were not triggered by external factors -- but rather by internal negligence,” said lead researcher John (Xuefeng) Jiang.

Where things go wrong

The researchers analyzed 1,150 data breaches that occurred over an eight-year period -- from 2009 through 2017 -- and affected over 164 million people.

Jiang and his partner Ge Bai found that over 50 percent of data breaches were due to mistakes by healthcare providers, while just 12 percent were due to hacking, and 33 percent came from theft. Some of the errors were simple mistakes, but the researchers note that others have serious implications.

“One-quarter of all the cases were caused by unauthorized access or disclosure -- more than twice the amount that were caused by external hackers,” said Jiang. “This could be an employee taking home [personal health information] or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing encrypted content.”

According to the researchers, these mistakes aren’t just limited to hospitals, but rather reach every realm of the healthcare field -- insurance companies, doctors’ offices, and pharmacies are all at fault.

Moving forward, the researchers suggest that healthcare providers do everything in their power to ensure patients’ personal information is kept safe. This can include making the switch to digital medical records, encrypting all patient information, and verifying email recipients when sending records electronically.

“Every time a hospital has some sort of data breach, they need to report it to the Department of Health and Human Services and classify what they believe is the cause,” Jiang said.

Keeping things private

A recent survey asked healthcare officials what the most pressing issues are in the field going into 2019, and, unsurprisingly, cybersecurity was on the top of many respondents’ minds.

Eighty-seven percent of survey participants said they planned to increase spending for cybersecurity in 2019, while no one planned to decrease spending in this area.

The issue has spread into national agencies as well, as both the Food and Drug Administration (FDA) and Department of Homeland Security (DHS) recently teamed up to prevent cybersecurity attacks on medical devices.

“The FDA has been proactive in developing a robust program to address medical device cybersecurity concerns,” said FDA Commissioner Scott Gottlieb. “But we also know that securing medical devices from cybersecurity threats cannot be achieved by one government agency alone.”

Additionally, pacemakers were under attack late last summer, as the FDA announced that 465,000 devices were found to have cybersecurity flaws. Consumers were encouraged to install a firmware update on their devices with the help of their medical professional in an effort to combat the attacks.

Take an Identity Theft Quiz. Get matched with an Authorized Partner.