26 October, 2023
In the modern age of digitalization, where data is used as currency for online services, preserving privacy has emerged as a critical issue, specifically within the healthcare sector. The extensive variety of health information at the fingertips of anyone possesses tremendous potential for advancing medical research, improving the health of the population, and better healthcare outcomes. However, it also poses significant challenges and weaknesses in terms of protecting the privacy of personal health information.
According to an article from Health Affairs (which you can find here), policy changes in the aftermath of the 2022 US elections have influenced healthcare regulations, including patient data privacy. Such alterations could create uncertainty or possible gaps in the protection of privacy in the healthcare sector.
Why is Privacy in Healthcare more important than ever before?
The healthcare industry is currently experiencing a digital transformation, as an increasing number of services are being managed through digital channels. As a result of this digitization, a greater volume of health information is being produced. This must be secured against unauthorized access. Therefore, healthcare privacy is now more important than ever before.
As the amount of health data produced and kept digitally has increased, so has the probability of data breaches. Patients may be seriously impacted if unauthorized access to sensitive health information results from a data breach. Hence, preserving the privacy of health information is essential in order to prevent such breaches.
Why do data breaches occur within the Healthcare sector?
Common causes. Statistics taken from: Hipaa Journal (2020).
- Human Error: Errors committed by humans include misplacing devices, sending information to the incorrect recipients, misconfiguring systems, and improperly discarding records. Human error takes up to approximately 22% of healthcare data breaches.
- Insider Threats: Insider threats entail illicit or careless activities carried out by personnel, contractors, or business associates who are granted access to confidential information. Insider threats are responsible for approximately 12% of healthcare data intrusions.
- Malware and Hacking: Malware and hacking refer to cyberattacks, including phishing, ransomware, denial-of-service, and vulnerability exploitation. Malware and hacking account for approximately 61% of healthcare data breaches.
- Physical theft or loss: This includes incidents such as stealing devices, breaking into offices, or losing records during transit. Physical theft or loss accounts for about 4% of data breaches in healthcare.
The causes can be influenced by various factors, such as:
- Insufficient training and awareness: A considerable number of healthcare personnel may be uninformed regarding the risks and optimal approaches associated with data protection. Moreover, their education on how to prevent and address data breaches may be insufficient.
- Insufficient resources and security measures: Numerous healthcare organizations might be lacking in funds for necessary resources such as encryption, backup, firewall, antivirus, access control, or auditing tools to secure their data.
- Increasing complexity and volume of data: Healthcare data is becoming more complex and voluminous due to factors such as digital transformation, interoperability, telehealth, mobile devices, cloud computing, and artificial intelligence. This increases the challenges and opportunities for data breaches.
- Increasing frequency and sophistication of cyberattacks: As cybercriminals perceive healthcare data to be valuable, vulnerable, and critical, they are increasing the level of skill and frequency of their cyberattacks. They employ a variety of techniques and tools to exploit the vulnerabilities and flaws in healthcare systems.
Then who has been breached?
Unfortunately, there have been several data breaches in the healthcare sector in 2023. This part of the blog is mainly to showcase the severity of the situation that we are facing and why we will need to increase cybersecurity measures following these incidents.
Examples of incidents specifically in 2023 are as follows.
- The Mayo Clinic: The Mayo Clinic in January 2023 that approximately 1.5 million patients’ personal and medical information had been compromised as a result of a cyberattack. Phishing emails were utilized to infiltrate the Mayo Clinic’s network, allowing the installation of ransomware that encrypted the organization’s data. The Mayo Clinic informed the affected patients that it had successfully restored the data from backups. However the damage had already been done. Hackers had already compromised the information of the patients.
- UnitedHealth Group: The company announced in March 2023 that a data compromise had occurred, resulting in a release of health insurance details for an estimated 26 million members. A third-party vendor that provides UnitedHealth Group with data analytics services accidentally left an unsecured cloud storage container, which allowed unauthorized access to the data. UnitedHealth Group stated that it was communicating the affected members and collaborating with the vendor to secure the data.
- Kaiser Permanente: Kaiser Permanente disclosed the finding of a data breach affecting the financial and personal data of approximately 12 million customers in June 2023. An insider with malicious intent took and sold the compromised information on the dark web. Kaiser Permanente stated that it terminated the employee, notified law enforcement, and provided identity theft protection services to the impacted clients.
- CVS Health: The organization reported a data breach that compromised the medical records of approximately 21 million consumers in September 2023. An intruder gained access to the data by exploiting a vulnerability in the online pharmacy portal of CVS Health. CVS Health reported securing the data, patching the vulnerability, and notifying the affected people.
What are some of the measures that can be taken to reduce the risk of data breaches?
Data intrusions have the potential to cause significant damage to an organization. Such as financial losses, negative publicity, and legal consequences. Nonetheless, a number of countermeasures can be implemented to reduce the probability of such breaches.
An essential starting measure in mitigating the risk of data attacks is to perform a complete list of all locations holding sensitive information and data sets within the organization. This procedure, often referred to as data mapping, simplifies the identification of data types and locations. By being mindful of the nature and location of your data, you will improve its security against possible breaches.
It’s important, above performing a data inventory, to identify any sensitive information that you gather, keep, transmit, or process. This includes financial and personal information, as well as any other data that attackers could exploit. You can protect sensitive data by implementing the appropriate security measures if you are aware of its existence.
Addressing this, the SAMM (Software Assurance Maturity Model framework provided by the Open Web Application Security Project (OWASP) can be of immense assistance. SAMM serves as a practical manual that aids security personnel in comprehending and enhancing their security protocols. It aids the identification and prioritization of security concerns by providing organizations with an organized approach to security assessment.
Each of the four SAMM levels corresponds to a unique level of development in one’s security practices. As one progresses through the levels, an increasing number of effective security practices will be adopted. By implementing a phased approach, one can gradually enhance their security practices as opposed to attempting implementing each measure simultaneously.
SAMM consists of a set of optimal methodologies for every level of security assessment, in addition to offering a methodical framework to support these assessments. These industry best practices and most recent research-based recommendations serve as a firm foundation for enhancing your security procedures.
Getting started with SAMM
Codific has created a tool to easily implement SAMM. It is called SAMMY and you can use it for free on sammy.codific.com.
To start using SAMMY, simply visit sammy.codific.com and create an account. You can then choose to perform a quick assessment with 15 questions or a detailed assessment with 90 questions. SAMMY will then calculate your overall score, as well as your score for each business function and security practice. Finally, you can also see how you compare with other organizations in your industry or region.
Based on your results, SAMMY will provide you with a personalized roadmap. This roadmap shows you the best practices to adopt and the steps to take to improve your security. You can also set your own targets and priorities, and track your progress over time. SAMMY will also generate reports and dashboards. You can use these to communicate your security status and goals to your team, management, or clients.