Healthcare Data Security

OIG Issues Warning About HHS Agency Phone Scams

Posted by HIPAA Journal

This year has seen numerous email scams aimed at obtaining the tax information of employees, but phone scams have also spiked in recent weeks.  One of the latest phone scams saw the Department of Health and Human Services’ Office of Inspector General (OIG) impersonated, prompting the HHS watchdog to issue a warning.

The scammers placed calls pretending to be from the OIG claiming individuals were eligible to receive a government grant. While this would likely appear suspect, the caller ID displayed the number 1-800-447-8477 (1-800-HHS-TIPS). If the number was checked, it would appear the call was genuine. The number is the OIG hotline number for reporting potential incidences of fraud.

The scammers tell individuals they are eligible to receive government grant money as a result of paying their taxes on time. However, in order to qualify for the grant, it is first necessary to confirm an individual’s identity. The attackers ask the individual to confirm their name and Social Security number or bank account number and other personal information.

Individuals are also told they need to pay a fee to cover processing costs for issuing the grant. The scammers pocket the payments and use the data collected during the phone calls for a range of nefarious purposes, including gaining access to bank accounts to make fraudulent transfers.

One woman was asked to make a transfer of $250 to cover fees related to a grant of $9,000. The fees had to be wired via Western Union, or alternatively she could provide a confirmation code for an iTunes Gift Card for $250. In that case, suspicions were aroused and the woman ended the call. However, OIG says, not without first confirming her identity and providing information that could potentially allow her bank account to be accessed.

OIG says the criminals have already placed thousands of calls, which in some cases has resulted in individuals sending money to the scammers.

This scam came to light in February when OIG first started receiving calls questioning the validity of the offer. Since the OIG hotline number appeared to have been used, an investigation was launched to determine whether any OIG systems had been breached. The investigation confirmed that the phone number had been spoofed.

OIG is continuing to investigate the scams and is working with Verizon Communications to prevent its hotline number from being spoofed again. OIG says two individuals are being investigated in relation to the scam and one criminal case is proceeding.

While this scam used the OIG number, other scams have spoofed other HHS agency numbers. Other HHS agencies have also been impersonated and different official numbers spoofed. The callers claim to work for the Federal Grants Department or some variation along that theme. OIG says cybercriminals are able to spoof any legitimate number.

OIG notes that the hotline number is never used to make outgoing calls and that the federal government will never make unsolicited phone calls.

OIG says no one should give out or confirm their date of birth, Social Security number, credit or bank account information, mother’s maiden name or other sensitive information to unknown individuals over the telephone, even if callers sound authoritative.

The post OIG Issues Warning About HHS Agency Phone Scams appeared first on HIPAA Journal.

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011.

Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation.

The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients.

OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from being successful; however, OCR investigators uncovered multiple violations of HIPAA Rules.

Phishing attacks on healthcare organizations are to be expected and it would be unreasonable to expect healthcare organizations to be able to reduce the risk of a successful phishing attack to zero. However, HIPAA-covered entities must take steps to identify potential risks and to take action to reduce risks to an appropriate level.

One of the fundamental elements of the HIPAA Security Rule is the risk analysis. The purpose of the risk analysis is to identify risks to the confidentiality, integrity, and availability of electronic protected health information. If a risk analysis is not conducted, HIPAA-covered entities will not be able to determine with any degree of certainty whether all risks have been identified. Appropriate measures to reduce those risks to acceptable levels would therefore be unlikely to be implemented.

While OCR confirmed that MCPN had conducted a risk analysis, it had not been performed until mid-February 2012, more than two months after the phishing attack had occurred. Further, that risk analysis and all subsequent risk analyses performed by MCPN did not meet the minimum requirements of the HIPAA Security Rule.

The lack of a risk analysis meant MCPN failed to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI that the organization held. MCPN also failed to implement a risk management plan to address risks identified in the risk analysis.

OCR also determined that MCPN had failed to implement appropriate security measures to reduce risks to a reasonable and acceptable level and policies and procedures to prevent, detect, contain, and correct security violations had also not been implemented.

When deciding an appropriate settlement, OCR took into consideration MCPN’s status as a FQHC and its financial position to ensure MCPN could maintain sufficient financial standing to continue to provide ongoing patient care. The HIPAA settlement could have been considerably higher.

This is the first HIPAA settlement announced since the appointment of Roger Severino as Director of OCR. Severino issued a statement about the settlement explaining “Patients seeking health care trust that their providers will safeguard and protect their health information…Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

This is the fifth HIPAA settlement of 2017. OCR has previously agreed to settle potential violations of the Health Insurance Portability and Accountability with the following HIPAA-covered entities in 2017:

  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post $400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures appeared first on HIPAA Journal.

Healthcare Organizations Targeted with New Ransomware Campaign

Posted by HIPAA Journal

Two hospitals have been attacked and had their files encrypted by Philadelphia ransomware. The latest campaign appears to be targeting hospitals in the United States.

Philadelphia ransomware is a form of Stampedo ransomware that was first identified last fall. The new ransomware variant is not particularly sophisticated and a free decryptor does exist (Available from Emisoft); however, a successful attack is likely to prove costly to resolve and has potential to cause considerable disruption. An attack may even warrant HIPAA breach notifications to be sent to patients if ePHI is encrypted.

The ransomware variant has been made available under an affiliate model and amateur attacks are being conducted. Brian Krebs recently found an online video promoting the ransomware variant highlighting its features and its potential for customization. The video claims that Philadelphia ransomware is the most advanced and customizable ransomware variant available.

Any would-be attacker can rent the ransomware by paying a one-off fee of $400 to the authors. After the fee is paid, the ransomware can be customized and used for personal campaigns.

At least one individual is conducting attacks on healthcare organizations, according to Forcepoint. Its researchers detected a campaign that uses a malicious DOCX file to download the ransomware. In this case, the Word document was not attached to a spam email, instead a malicious link was sent in a spear phishing email. Clicking the link triggers a download of a malicious DOCX file.

If the user opens that file they will be presented with three icons. Clicking any of those icons will launch malicious JavaScript that will download Philadelphia ransomware onto the device. The ransom currently demanded per infected device is 0.3 Bitcoin – approximately $364.

The attacker has used a variety of techniques to improve the chances of the icons being clicked. Spear phishing emails are sent to individuals within a targeted healthcare organization. The Word document contains the health organization’s logo along with the name of a physician at the hospital. The icons in the Word document appear to link to patient information contained in the file.

Forcepoint analyzed the JavaScript and detected a string called hospitalspam. A directory on the C2 also contained a folder with the same name, suggesting the attacker is targeting U.S. hospitals. Two hospitals in the U.S. have already fallen victim to a Philadelphia ransomware attack. Forcepoint reports that one hospital in Oregon and another in Southwestern Washington have been infected. The campaign appears to have started in the third week of March.

The discovery shows malicious actors are actively targeting the healthcare sector and further attacks are likely.

Recovery from a Philadelphia ransomware attack is a fairly straightforward process; however, the rise in popularity of ransomware-as-a-service could see healthcare organizations targeted more heavily over the coming months. Other ransomware variants may not prove so easy to remove.

Hospitals and other healthcare organizations should ensure they have implemented defenses against ransomware attacks, developed a disaster response plan specifically for ransomware attacks and have effective backup policies in place.

The post Healthcare Organizations Targeted with New Ransomware Campaign appeared first on HIPAA Journal.

918,000 Patients’ Sensitive Information Exposed Online

Posted by HIPAA Journal

The data of 918,000 patients who provided their sensitive information to HealthNow Networks, a Boca Raton, FL-based telemarketing organization that used to provide medical supplies to seniors, has been exposed online for many months.

The data were discovered by an individual with the Twitter handle Flash Gordon after he conducted a search for unprotected data on the search engine Shodan. The data had been stored in an unprotected root folder on an Amazon Web Service installation owned by a software developer who had previously worked on a database for HealthNow Networks. The project was abandoned long ago although the data provided to the developer were not secured and could be accessed online.

The database contained a range of highly sensitive data including individuals’ names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, health insurance information and medical conditions. The data had been collected by the telemarketing firm and individuals had been offered discounted medical equipment in exchange for providing the firm with their data.

The data breach was investigated by ZDNet and Databreaches.net, who contacted AWS to report the exposure of sensitive data. Amazon made contact with the software developer who removed the data. ZDNet/Databreaches.net also managed to contact the owner of HealthNow Networks – which is no longer in business – and the software developer, both of whom confirmed the database has now been deleted.

While the data are no longer accessible online, the investigation revealed that many of the individuals whose data were exposed had their email addresses listed on the Have I Been Pwned website, suggesting the database may already have been accessed and downloaded and used for spamming and fraud. However, the logs detailing who accessed the data were not provided to ZDNet/Databreaches.net.

The data breach has now been reported to the FTC, FBI and other law enforcement agencies.  The report of the breach and investigation can be viewed on Databreaches.net and ZDNet.

Affected Individuals May Not be Notified

The database contained a number of data elements that are included in the HIPAA description of protected health information (PHI).

The Health Insurance Portability and Accountability Act’s Breach Notification Rule requires HIPAA covered entities to notify patients of any breach of their protected health information (PHI). However, HIPAA only applies to HIPAA-covered entities and their business associates. Individuals whose information has been exposed will not necessarily be notified of the breach of their information as telemarketing firms are not HIPAA-covered entities.

Non-HIPAA-covered entities are required to issue breach notifications, although only under state laws. Many states have now introduced data breach notification laws to protect residents in the event of a breach of their sensitive data by non-HIPAA-covered entities, although gaps exist.

Only 47 states have introduced data breach notification laws, and the definitions of ‘personal information’ that warrant notifications to be issued differ state by state. Residents in Alabama, New Mexico, and South Dakota have yet to introduce breach notification laws so residents may not be notified of data breaches.

Whether individuals affected by a data breach will be notified depends on which company has experienced a data breach and where affected individuals live in the United States. Even if health data is exposed or stolen, breach notifications may not be issued.

The post 918,000 Patients’ Sensitive Information Exposed Online appeared first on HIPAA Journal.

2017 Shaping Up to Be Another Record-Breaking Year for Healthcare Data Breaches

Posted by HIPAA Journal

2016 was a particularly bad year for healthcare data breaches. More data breaches were reported than in any other year since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach summaries in 2009.

In 2016, 329 breaches of more than 500 records were reported to the Office for Civil Rights and 16,655,952 healthcare records were exposed or stolen.

2017 looks set to be another record breaking year for healthcare data breaches. Figures for the first quarter of 2017 show data breaches have increased, with rises in theft incidents, hacks and unauthorized disclosures.

By the end of Q1, 2016, 64 breaches of more than 500 records had been reported to OCR and 3,529,759 had been exposed or stolen.

Between January 1, 2017 and March 31, 2017, OCR received 79 data breach reports from HIPAA covered entities and business associates. Those breaches have resulted in the theft or exposure of 1,713,591 healthcare records.

While fewer individuals have been impacted by healthcare data breaches than in the equivalent period last year, the number of reported breaches has increased by more than 23%.

Hacking incidents have increased by 26%, unauthorized access and disclosures have risen by 28%, and theft incidents have increased by 30%. Incidents involving improper disposal of PHI have remained the same and there has been little change in the number of reported loss incidents.

April has also started poorly, with Ashland Women’s Health having discovered a hacking incident that has resulted in the exposure of 19,727 patient health records.

While hacking incidents have risen year on year, the biggest threat comes from within. Protenus reports that in January, 59.2% of healthcare data breaches were caused by insiders, with February’s healthcare data breach report indicating insiders were responsible for 58% of breaches.

Largest Healthcare Data Breaches in Q1, 2017

 

Organization Covered Entity Type Type of Breach Individuals Affected
Commonwealth Health Corporation Healthcare Provider Theft 697,800
Urology Austin, PLLC Healthcare Provider Hacking/IT Incident 279,663
VisionQuest Eyecare Healthcare Provider Hacking/IT Incident 85,995
Washington University School of Medicine Healthcare Provider Hacking/IT Incident 80,270
Emory Healthcare Healthcare Provider Hacking/IT Incident 79,930
Stephenville Medical & Surgical Clinic Healthcare Provider Unauthorized Access/Disclosure 75,000
Primary Care Specialists, Inc. Healthcare Provider Hacking/IT Incident 65,000
ABCD Pediatrics, P.A. Healthcare Provider Hacking/IT Incident 55,447
WellCare Health Plans, Inc. Health Plan Hacking/IT Incident 24,809
Denton Heart Group Healthcare Provider Theft 21,665

The post 2017 Shaping Up to Be Another Record-Breaking Year for Healthcare Data Breaches appeared first on HIPAA Journal.

AHA: Law Enforcement Needs Resources to Help Prevent Healthcare Cyberattacks

Posted by HIPAA Journal

The American Hospital Association (AHA) has urged congress to provide law enforcement agencies with appropriate resources to help with the prevention of healthcare industry cyberattacks and assist with investigations into attacks.

The AHA provided a statement for an AHA House Energy and Commerce Subcommittee on Oversight and Investigations hearing on public-private partnerships for healthcare cybersecurity. In the statement the AHA praising the efforts made by hospitals and health systems to improve data security and prevent cyberattacks.

The AHA explained that the vast majority of hospitals and health systems take the current cybersecurity challenges very seriously and have responded by investing heavily in cybersecurity protections to prevent cybercriminals from gaining access to networks and sensitive data.

The AHA said those efforts include the use of encryption to prevent the theft of PHI, making and testing data backups, conducting annual threat assessments and identifying potential vulnerabilities with extensive penetration testing. Hospitals and health systems are also increasingly conducting tabletop exercises and simulations to assess their disaster recovery and breach response plans.

A recent survey conducted on AHA members confirmed that 80% of hospitals have now implemented intrusion detection systems. 80% of hospitals also now use encryption on their wireless networks, removable media, and mobile devices. More than 90% of hospitals ensure pass codes are required to access mobile devices and have implemented policies that require the use of strong passwords. 90% of hospitals also conduct annual risk analyses and infrastructure security assessments.

However, even with these precautions, healthcare cyberattacks are inevitable and occasionally they will succeed. The AHA explains that collaboration is needed to tackle the threat. Many hospitals and health systems are now participating in threat intelligence sharing on a national level, via private sector programs such as those run by the Healthcare and Public Health Information Sharing and Analysis Center (NH-ISAC) and Health Information Trust Alliance (HITRUST).

The AHA explained that those information sharing programs have been effective and should receive continued support to ensure they can develop and provide actionable information and tools to assist the healthcare industry prevent cyberattacks. However, further work is required in this area.

Healthcare organizations need to be provided with more actionable information on the latest cybersecurity threats. They need to be advised of the steps they need to take to secure their networks against new threats. At present, healthcare organizations are being given large volumes of generalized information, which can be difficult to interpret. Without tailored cyber threat information, it is very easy for healthcare organizations to get distracted and suffer information overload.

The AHA also points out that the healthcare industry is heavily regulated and healthcare organizations are required to comply with the HIPAA Security Rule. The HIPAA Security Rule requires covered entities to implement a range of measures to safeguard protected health information.

The AHA says that even when healthcare organizations implement best practices and comply with HIPAA Rules, cyberattacks may still occur. However, it was pointed out that data breaches and cyberattacks do not necessarily mean that HIPAA Rules have been violated. Healthcare organizations should therefore receive appropriate assistance and should not be blamed when attacks succeed and neither should they be presumed to be at fault.

Help should be provided with the investigation of breaches and any lessons that are learned should be shared with other healthcare organizations to prevent others from falling victim to similar attacks. The AHA says the victims of these attacks should be given appropriate support and resources, while the attackers should be identified and prosecuted.

The AHA says Congress should also ensure that law enforcement and other agencies get the resources they need to help prevent healthcare cyberattacks and to thoroughly investigate attacks when they do occur.

The post AHA: Law Enforcement Needs Resources to Help Prevent Healthcare Cyberattacks appeared first on HIPAA Journal.

Healthcare Organizations Warned of Risk of Man-In-The-Middle Attacks

Posted by HIPAA Journal

In its April cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights advised covered entities and their business associates to use the Secure Hypertext Transport Protocol (HTTPS) to ensure protected health information is not left unsecured.

While HTTPS has been adopted by many covered entities to protect communications from man-in-the-middle attacks, OCR has relayed a recent warning from the United States Computer Emergency Readiness Team (US-CERT) about vulnerabilities that may be introduced by the use of products that inspect HTTPS traffic.

The use of HTTPS inspection products increases security as it allows healthcare providers to detect malware and unsafe connections. Unsafe connections could potentially result in communications being intercepted, data being accessed or manipulated, or malicious code being run. However, OCR warns that certain HTTPS inspection products fail to correctly verify web servers’ certificates or do not pass on error messages and warnings to clients.

In order for HTTPS inspection to occur, network traffic must be decrypted, inspected, and then re-encrypted. To do that the HTTPS inspection product must install trusted certificates on clients’ devices to avoid triggering warnings. However, this could potentially mean the healthcare organization would be unable to verify web servers’ certificates. It would be possible to verify the connection between the healthcare organization and its inspection tool, but not between the healthcare organization and the web server. Some HTTPS inspection products do not allow verification of the entire certificate chain.

If the full certification chain is not properly verified, an organization could be exposed to man-in-the-middle attacks. OCR advises covered entities to follow the advice of US-CERT and verify that their HTTPS inspection product properly validates certificate chains and passes any warnings on to clients. They should also ensure that any HTTPS inspection product is properly installed, otherwise it may decrease security and introduce new vulnerabilities.

The HIPAA Security Rule requires covered entities to conduct regular risk analyses. OCR points out that HTTPS inspection tools should be included in those risk analyses and covered entities should weigh up the advantages and disadvantages of using those products.

Covered entities are advised to refer to NIST publications on securing end-to-end communications, in particular with regards to the configuration and use of TSL/SSL implementations and encryption processes to secure electronically transmitted PHI.

US-CERT offers advice to healthcare organizations on how they can reduce the risk of man-in-the-middle attacks and suggests organizations should:

  • Update Transport Layer Security and Secure Socket Layer (TLS/SSL) to TLS 1.1 or higher and ensure SSL 1,2 and 3.x are disabled.
  • Utilize Certificate Pinning
  • Implement DNS-based Authentication of Named Entities (DANE)
  • Use Network Notary Servers

The post Healthcare Organizations Warned of Risk of Man-In-The-Middle Attacks appeared first on HIPAA Journal.

Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing

Posted by HIPAA Journal

With the healthcare industry under a sustained attack and the cyber threat landscape constantly evolving, law enforcement, the government, and private industry need to collaborate to counter the threat of cyberattacks. Cybercrime cannot be effectively tackled by organizations acting in isolation.

The sharing of threat information is essential in the fight against cybercrime. Dissemination of this information makes it easier for law enforcement and government agencies to combat cybercrime. Accessing that information also allows healthcare entities to to take timely action to address vulnerabilities before they are exploited.

Government and law enforcement agencies are educating healthcare organizations on the importance of sharing threat intelligence, although currently too few entities are sharing threat information.

At a Congressional Energy and Commerce Committee hearing this week, cybersecurity experts made suggestions on how congress can improve threat information sharing and improve healthcare cybersecurity.

At the hearing, Denise Anderson, president of the National Health Information Sharing and Analysis Center (NH-ISAC), explained that failing to take action to combat cybersecurity threats is putting patient safety at risk. In some cases, this could be a life or death matter for affected patients.

Ransomware can prevent patients’ health records from being accessed by healthcare providers; however, Anderson explained that data manipulation could be an even bigger problem. If cybercriminals were to change medical records, they could then demand a ransom from the healthcare provider to divulge which records had been changed. Data manipulation could result in patients being incorrectly diagnosed or provided with the wrong medications. That could have fatal consequences.

The healthcare industry has many small to medium-sized healthcare organizations that lack the capital and resources to deal with cybersecurity issues. They cannot keep up with the practices that are required to keep patients’ data secured. Many are faced with a choice – purchase essential medical equipment or a new cybersecurity tool. There is little incentive to choose the latter.

Cybersecurity Incidents Often Go Unreported

The number of cybersecurity threats has increased significantly in recent years, as has the number of reported healthcare data breaches, yet those reported breaches are just a fraction of the security incidents that are now plaguing the healthcare industry. Many cybersecurity threats and security incidents go unreported.

Evidence gathered from normal security monitoring suggests there are far more breaches occurring than current data breach reports suggest. Terry Rice, vice president of IT risk management and chief information security officer at Merc, suggested that while laws are in place that require healthcare organizations to report security incidents, current disclosure laws have limited requirements for reporting incidents and many organizations are not submitting or delaying incident reports.

Threat Information Sharing is Critical

While it is important for further efforts to be made to educate the healthcare industry on the importance of sharing threat information, education alone is unlikely to solve the problem. Sharing threat information carries a cost that many small healthcare providers simply cannot afford.

Anderson suggests that while there are clear benefits to participating in information sharing efforts, threat intelligence sharing should not be mandatory. Healthcare organizations should be given a choice. However, healthcare organizations can be encouraged to share information if they are offered financial incentives for doing so.

She also suggested ISACs should be offered tax breaks, that information shared through ISACs should be protected, and that organizations that share threat intelligence should be provided with better legal protections.

Congress was also advised to create permanent cybersecurity liaisons and leaders. Those individuals should be experienced cybersecurity professionals that are aware of the threats, vulnerabilities and cybersecurity issues faced by the healthcare industry.

Michael McNeil, global product security and services officer for Royal Phillips pointed out that cyberattacks on medical devices pose a serious threat to patients and potentially place patients’ lives at risk.

He suggested medical device manufacturers should be included in conversations about cybersecurity and should ensure security is considered at every stage of the manufacturing process. Device manufacturers must also address cybersecurity issues at every stage of the product lifecycle, not just until their devices come to market.

Device manufacturers also need to collaborate and agree to a set of standards that can be adopted to improve cybersecurity. There should be regulatory requirements covering cybersecurity for device manufacturers.

The post Congress Advised to Offer Incentives to Improve Healthcare Threat Intelligence Sharing appeared first on HIPAA Journal.

Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches

Posted by HIPAA Journal

A study recently published in JAMA Internal Medicine examined recent healthcare data breach trends to determine which types of hospitals are the most susceptible to data breaches.

The researchers analyzed breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights between October 21, 2009 and December 31, 2016. During that time, 216 hospitals reported 257 breaches of more than 500 patient records.

33 hospitals experienced more than one data breach during that time frame. Four hospitals – Brigham and Women’s Hospital, Cook County Health & Hospitals System, Mount Sinai Medical Center and St. Vincent Hospital and Healthcare Inc – experienced three data breaches. Two hospitals – Montefiore Medical Center and University of Rochester Medical Center & Affiliates – experienced four data breaches.

The researchers determined the size of the acute care hospitals by linking the facilities to their Medicare cost reports submitted to the Centers for Medicare and Medicaid Services in the 2014 fiscal year. 141 acute care hospitals were linked to CMS cost reports. Unlinked hospitals included those run by the Department of Veteran Affairs and military hospitals and long term care hospitals.

The study revealed that larger hospitals were statistically more likely to experience a data breach. More than one third of hospitals (37%) that had experienced a data breach are classed as major teaching hospitals.

Linked hospitals had a median of 262 beds, while an analysis of 2852 acute care hospitals that had not reported a data breach had a median of 134 beds. 265 (9%) of those unbreached hospitals were major teaching hospitals.

The researchers found that both the size of hospitals and their teaching status were positively associated with the risk of experiencing data breaches.

The researchers used multivariable and regression analyses to compare the 141 linked acute care hospitals with other hospitals to determine why they faced a higher risk of experiencing data breaches.

The researchers suggest the reason why larger hospitals and teaching hospitals experience more data breaches is due to having broader access to sensitive patient data. The more individuals who require access to data, the greater the risk of data breaches occurring. The report suggests “There is a fundamental trade-off between data security and data access.” When data are made available to a greater number of individuals for research and education purposes it makes “zero breach” an extremely challenging objective.

While investment in information technology such as EHRs has certainly made hospitals more efficient and has improved the provision of care to patients, it has also made security and privacy breaches more likely.

While many hospitals have invested heavily in cybersecurity defenses to reduce the risk of data breaches, the breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights clearly show that healthcare data breaches are increasing in frequency.

The fast-evolving threat landscape requires hospitals to invest in cybersecurity defenses to mitigate data breach risk and hospitals must continuously evaluate data security risks and apply best data security practices to prevent breaches from occurring; however, it is difficult for hospitals to determine which technologies and best practices are the most effective at preventing data breaches.

Lead author of the study, Ge Bai, an assistant professor at John Hopkins Business School said, “More research is needed to identify effective and evidence-based data security practices to guide hospitals’ risk management efforts.”

The post Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches appeared first on HIPAA Journal.