A study published earlier this year demonstrated how challenging it is for organizations to meet HIPAA Compliance for patient data protection. Even when healthcare providers fulfilled HIPAA requirements, the study showed major security risks and breaches.
Indeed, during the period from September 2012 to October 2013 there were 49,217 malicious events involving 723 malicious source IP addresses that impacted 375 organizations in the healthcare arena.
Compromised organizations are found in these 6 classifications:
- Providers subject to the HIPAA Rule include MDs, clinics, dentists, chiropractors, psychologists, pharmacies and nursing homes which use electronic means to transmit healthcare information. The size of the practices ranged from 1 to 9000+. 72% of the malicious traffic detected affected this group.
- Businesses or individuals associated with health care are organizations and involved in the transmission of protected information represented 9.9% of the malicious information. Businesses that provide data transmission services and fall under the HIPAA Omnibus Rule include hosting services for health records, information exchanges and electronic prescribing systems.
- 6.1% of the exposed malicious traffic encompassed medical, dental and vision plans. In addition, a wide range of insurers such HMOs, government sponsored insurance programs and corporate health plans were subject to attack. Criminals are especially attracted to the large databases associated with these health plans.
- Clearinghouses involved in the formatting of nonstandard health information into standard electronic form or data content, drew 0.5% of malicious assaults.
- Pharmaceutical, biotech and companies involved in human clinical research accounted for 2.9% of the malicious strikes.
- The remaining 8.5% of the criminal cyber-attacks is comprised of various nonprofits, emergency relief groups and other organizations that offer services to employees of health care organizations.
The targeted organizations exhibited susceptibility at three major points that relied upon for security protection:
- 17% of the traffic was emanating from connected medical endpoints. These were identified as radiological imaging software, video conferencing systems and digital video systems used for operating remotely. Unfortunately, other network-attached devices such as fax machines, printers and security cameras are often overlooked in security risk analysis.
- 8% of the malicious traffic occurred at a medical supply firm’s call center website. A personal health record system was also compromised. In the case where records are not tied to an HIPAA/HITECH a sanctioned electronic health record system, consumers may end up paying for damages caused by medical identity theft. Compromised internet-facing personal health data found in medical and insurance files is estimated to cost $12 billion out of pocket this year.
- Security systems and edge devices such as firewalls, VPN applications and devices, enterprise network controllers and routers transmitted about 59% of malicious traffic. These were either compromised or were not picking up the malicious traffic running inside the protected perimeter. This implies that the organization’s security system does not comply with HIPAA reporting rules for patient data.
There are a number of things you can do to help prevent or mitigate these attacks. Please contact us for more information.