As digital healthcare gains ground, is our data actually secure?

A SecureLink report found that 44% of healthcare organizations have been breached in the last year

The two big trends in healthcare over the last half decade or so are the rise of big data, and the rise of digital health. Those two things are interwoven: wearables, devices, and apps are a big part of why so much data is now flowing through the ecosystem, along with EHR systems, and that data is what allows for patients to have greater control over their own health. This became especially important during the pandemic, when the doctor patient relationship became virtual. 

While the benefits of big data and digital health are myriad, there's also a potential downside: they pose a big risk in terms of all of that data being collected then being breached and stolen. There have been numerous cases of that happening recently, but the scope of the problem might be bigger than most people realize, or want to believe.

According to a report released last week from critical access management company SecureLink, titled “A Matter of Life And Death: The State of Critical Access Management in Healthcare,” found that 44% of all healthcare and pharmaceutical organizations experienced a data breach caused by a third party within the last 12 months. 

The report, which took responses from 69 individuals in the industry, was part of a larger study done by Ponemon Institute in December 2020, which looked at six industries, including financial services, public sector, services, and industrial and manufacturing. In total, the larger report featured responses from 627 individuals across these sectors.

Of all industries, only those in the financial services space reported a higher percentage of data breaches than those working in health and pharmaceutical, while transportation services and public sector organizations also reported over 40%.According to the report, the healthcare sector suffers four times more cyber attacks than other industries, potentially exposing the data of 26 million people.

Even more worrisome is that, despite knowledge of the threat, the companies themselves seem to have little insight into who has access to their data: only 41% of healthcare and pharmaceutical organizations said they have a comprehensive inventory of all third parties with access to their network. That's compared to 53% of organizations in the public service space, 47% in industrial and manufacturing, and 45% in financial services. 

On top of that, only 44% of those in the healthcare and pharma space said they have visibility into the level of access and permissions that both internal and external users have. Only financial services had a lower percentage, with 38% of those surveyed agreeing that their organization had this type of visibility.   

The effects of this lack of insight and preparedness are already being felt: another report found that there was a 55% increase in healthcare breaches from 2019 to 2020. Data also shows there were 2,084 ransomware complaints in the first half of 2021, representing a 62% increase over the first half of 2020, resulting in more than $16.8 million in losses, a 20% year-to-year increase.

Some of the healthcare institutions and organization that have seen data breaches over the last year or so include UC San Diego Health, Eskenazi Health, Johnson Memorial Health, Schneck Medical Center, Horizon House, Samaritan Center of Puget Sound, GetHealth, and UMass Memorial Health. 

The SecureLink report doesn't only show the problem but also outlines a few ways that companies can protect themselves, including access governance, which means performing user access reviews; access controls, meaning allowing IT or security professionals to have more control over user access rights; and access monitoring, which involves providing session audits that show who accessed what data, when, how, why, and for how long.

“Attacks by third parties are on the rise across industries—and healthcare is no exception. It’s also clear there's an alarming disconnect between how an organization perceives a third-party threat and the actual reality of dangerous third-party access threats, as evidenced in the scarce security measures organizations employ,” Daniel Fabbri, SecureLink Chief Data Scientist, said in a statement.

“Now is a pivotal moment for improving critical access management, which is a vital step in monitoring and securing third-party access. Healthcare providers need to be armed with the information and tools to navigate the state of critical access management, mitigate future cyber attacks, and eliminate vulnerabilities that can threaten HIPAA and HITECH compliance.”

(Image source: managedsolution.com)