Breaches of USA Medical Health Information
The U.S. Department of Health and Human Services Office for Civil Rights lists USA medical health information breaches affecting 500 or more individuals that occurred within the last 2 years and that are still under investigation.
The USA medical breach data for the last 2 years is displayed as a sortable list and can be downloaded as a Spread Sheet or CSV file for further analysis. At the time of writing there are 354 entries from 500 individuals affected up to 10,000,000 although with the latter being such a nice round number some rounding was probably involved. The average number of individuals per case approaches 79,000.
The nature of private health care within the USA means that medical records could be accessed by many gateways. For example a health care provider administering the care and the insurer (health plan) taking responsibilities for the costs. With a national health service these would be the same body and hopefully share common security protocols. The data indicates that the majority of breaches are, however, within the provider rather than the insurer.
- Healthcare provider: 283
- Health plan: 51
- Business associate: 19
- Unknown: 1
Relying on a private health care system also requires financial as well as medical records to be kept. These should be kept separate but medical identity theft may offer enough clues to access financial data. This added incentive plus the wider range of services makes the USA medical information systems an attractive target for hackers. Data security protection and exploitation will follow the same guidelines the world over so the causes of breaches would be of interest to anyone holding medical information. Looking at the numbers below hacking is the most common cause of breaches but accounts for a little under half the cases:
- Hacking: 149
- Unauthorised access: 126
- Theft: 62
- Loss: 9
- Improper disposal: 8
The cases of theft refer to physical theft of a device that contains the data rather than virtual theft of data from a server or workstation. 9 of the cases of theft were from paper or film records and 10 from portable electronic devices. The remaining thefts are either labelled ‘other’ or linked to theft of a computer or laptop.
Hacking is the hardest data breach to completely prevent. Whatever methods are in place someone will be working on overcoming them, requiring a constant review of security procedures. Kindus are in a position to offer confidential, bespoke advice on reducing the risk from hackers. Instances of unauthorised access, theft or loss of physical data stores will be minimised by setting up good practice together with staff training to ensure that standards are maintained. Identity theft, disgruntled or poorly informed employees are causes of leaked account details that will allow a criminal access to data by-passing any security measures that are in place as the system assumes that they are a valid user. Kindus provide security audits and staff training to ensure that details of key accounts are not leaked.
Devices can be physically secured to reduce the risk of theft. With network and cloud based storage there is less need to keep records on physical devices than in the past. Where it is still required access to those devices should be restricted with strong encryption that prevents the data itself from being accessed by an unauthorised user or from unauthorised locations.