Monthly Healthcare News Roundup: Millions of Americans’ Healthcare Data Exposed on the Internet, Best Practices for Mitigating Insider Threats, NIST Releases Guidance on Preventing Security Breaches in Healthcare, and More

Every month, we compile the most compelling healthcare privacy and security related news stories. Below, you’ll learn more about millions of Americans’ medical imaging data being available for anyone to view on the internet, NIST releasing guidance on preventing security breaches in healthcare PACS, and more.

Millions of Americans’ medical images and data are available on the internet, and anyone can take a peek

Medical records of over five million patients across the United States, including MRIs, X-rays, and CT scans, are floating around the internet completely unprotected. News source ProPublica identified 187 servers that store medical data lack basic security precautions like password protection. And anyone with access to the right software programs – or even just their web browser – could access medical images and health information, including names, birth dates, and social security numbers.

“It’s not even hacking. It’s walking into an open door.” – Jackie Singh, Chief Executive of Spyglass Security

Under the HIPAA Security Rule, Healthcare providers are legally obligated to secure patient data. To find out whether your organization’s PHI is properly safeguarded, read the full article to determine if your medical imaging data has adequate security measures in place.

70% of data involved in healthcare breaches increases risk of fraud

According to a study published in the Annals of Internal Medicine, the majority of data compromised by healthcare breaches is at an increased risk of identity theft and fraud. The study, led by researchers from Johns Hopkins University and Michigan State University, analyzed nearly 1,500 breaches of protected health systems reported to the US Department of Health and Human Services (HHS) over the past 10 years.

The study categorized patient data under these distinct categories:

  • Demographic details
  • Financial data
  • Medical information

Researchers found that medical information such as HIV status, substance abuse, and other sensitive diagnoses are most likely to be used for fraud. And 66% of breaches exposed sensitive demographic information such as Social Security numbers, driver’s license numbers, and dates of birth while a whopping 71% of breaches involving 159 million patients exposed demographic or financial information, leaving them susceptible to identity theft. Conclusively, the study revealed that hackers increasingly target healthcare providers for financial gain.

Sentara sees net income climb 81% in first half of 2019

Sentara Healthcare, an innovative medical system based in Norfolk, VA, recorded a total revenue of $3.3 billion during the first half of 2019’s fiscal year. After seeing a decline in net operating income during the first half of fiscal year 2018, Sentara bounced back, driven by a growth in net patient service revenue. This resulted in the system earning a net income of $569.4 million, up 81.2% from the $314.1 million in net income from the previous year.

Interested in learning more about Sentara’s success in the first half of 2019? Read the full article for more details.

Healthcare cyberattacks on the rise, small hospitals most vulnerable

A new report by Moody’s Investors Service reveals that the interconnected nature of operations and information technology in hospitals comes with increased cybersecurity risks. And small organizations are the most vulnerable to cyberattacks, as they often lack the resources necessary – including up-to-date technology and personnel in cybersecurity roles – to absorb the financial impact. The study determined three ways hospitals are affected by cyber threats:

  1. Threats that jeopardize patient safety and result in harm or death, including cyber attacks against medical devices such as insulin pumps and cardiac monitors.
  2. EHR disruption, cyberattacks and ransomware that compromise EHR data to disrupt a hospital’s revenue cycle and cash flow. This also includes changing medical orders and test results.
  3. Increased sharing of health data. As health organizations become more interoperable between systems, business associates, and vendors, PHI becomes more vulnerable thanks to the increased access from multiple avenues.

NIST proposes PACS cybersecurity guidance for health providers

Due to imaging technology innovations in the past decade, it’s now easier than ever to upload, share, and store medical images and records online. And with that accessibility comes risk. To analyze and work toward mitigating potential threats, the National Cybersecurity Center of Excellence at NIST built a medical imaging test environment in a laboratory and then performed a risk assessment to identify how NIST Cybersecurity Framework controls could secure that environment. The goal is to ways for real health systems to secure their Picture Archiving Communications Systems (PACS).

“The threat landscape is broad. If not properly secured, vulnerabilities may be introduced into the PACS ecosystem, either affecting clinical information stored in the PACS environment or allowing malicious actors to leverage components within the ecosystem as pivot points into the integrated healthcare information system.”NIST

OCR shares best practices for managing malicious insider threats

The Office of Civil Rights (OCR) in tandem with the Department of Health and Human Services (HHS) released guidance on ways that healthcare organizations can respond to insider threats. According to the 2019 Verizon Data Breach Investigations Report, inside actors are responsible for 59% of all security breaches and incidents – and healthcare is the industry most heavily impacted by data breaches. The best practices detail measures that can protect healthcare systems against insider threats, including simple security controls and implementing patient privacy monitoring.

“The healthcare sector is a tempting target for malicious insiders who seek to disclose or steal an organization’s sensitive information,” wrote OCR officials. “However, by recognizing the risks and implementing appropriate safeguards, organizations can manage this risk and comply with the law.”