Reliance on third-party data controllers is putting organizations at increased risk

The healthcare industry is in need of some digital resuscitation, as data breaches and vulnerable IoT devices continue to bring the sector new threats to contend with.

In the US alone, the trade-off to accessible, cutting-edge care has meant a surge in patient data compromised, with data breaches increasing a concerning 50% between 2017 and 2019, according to researchers at SecurityScorecard.

This has meant sensitive information belonging to patients – such as that found in Electronic Personal Health Information (ePHI) and Electronic Medical Records (EMR) – is still bringing in value to malicious actors of all sorts.

As of this year’s Cost of a Data Breach report from the Ponemon Institute, for instance, one compromised EMR can mean $150 added to the bill of any healthcare organization, a reality that has made the medical sector the most costly industry in which to experience a data breach.

“The healthcare industry continues to struggle with securing ePHI, leading to data breaches and HIPAA [Health Insurance Portability and Accountability Act] violations, as well as other regulatory and industry standards compliance issues,” Fouad Khalil, SecurityScorecard’s vice president of compliance, told The Daily Swig.

“While the number of breaches remained static, the number of confirmed data disclosures as a result of the breaches nearly doubled.”

A report published recently by Khalil and his team at SecurityScorecard hopes to assist health-focused organizations with recognizing common attack vectors and knowing the best practices to defend against them.

Most of these exploited vulnerabilities, the report found, arise from weak web application security, which the widespread adoption of internet of things (IoT) enabled-care and mobile technologies is only expediting.

“Web application vulnerabilities are a frequently used vector of attack by malicious actors,” Alex Heid, chief research officer at Alex Heid Security Scorecard, told The Daily Swig.

“Attacks such as stolen credentials, SQL injection, and remote code execution are frequently used as ways of obtaining access to database records.”

The reliance on third-party data controllers has also increased undetermined risk to healthcare organizations, Heid explained, with responsibility placed on a vendor that may be transfer or store patient data without compliance to HIPAA safeguards.

“As such, the information may be put at risk through an application level exploit,” Heid said.

Fine heavy regulation such as HIPAA – which saw over $28 million in settlement fees throughout the US last year – is believed to have helped bring security to the forefront, however.

That being said, while there has been an undeniable growth in security positions cross-sector, smaller healthcare organizations are remaining particularly vulnerable due to having less resources available, SecurityScorecard found.

“A point-in-time compliance stance is no longer sustainable,” Khalil said, highlighting how standards for security are slowly becoming the norm, particularly with regulation like GDPR now accompanying the likes of HIPAA.

“Healthcare organizations must adopt continuous assurance practices to maintain compliance and adequately protect data.”

He added: “We must remain diligent and proactive to keep our names off of the news!!!”


YOU MAY ALSO LIKE NHS healthcare facilities given fresh set of cybersecurity tools