16 or 27 million 2016 breaches, 1 in 4 Americans? Data, IoT insecurity runs wild (US/UK)

What’s better than a chilly early spring dive into the North Sea of Health Data Insecurity?

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2017/03/Accenture-Health-2017-Consumer-Survey.jpg” thumb_width=”150″ /]Accenture’s report released in February calculated that 26 percent of Americans had experienced a health care-related data breach. 50 percent of those were victims of medical identity theft and had to pay out an average of $2,500 in additional cost. One-third (36 percent) believed the breach took place in hospitals, followed by urgent care and pharmacies (both 22 percent). How did they find out? Credit card and insurer statements were usual, with only one-third being notified by their provider. Interestingly, a scant 12 percent of data breach victims reported the breach to the organization holding their data. (You’d think they’d be screaming?) The samples were taken between November 2016 and January 2017. Accenture has similar surveys for UK, Australia, Singapore, Brazil, Norway, and Saudi Arabia. Release  PDF of the US Digital Trust Report

So what’s 16 million breaches between friends? Or 4 million? Or 27 million?

  • That is the number (well, 15.9 million and change) of healthcare/medical records breached in 2016 in 376 breaches reported by the Identity Theft Resource Center (ITRC), a Federally/privately supported non-profit. Healthcare, no surprise, is far in the lead with 34 percent and 44 percent respectively. The 272 pages of the 2016 End of Year Report will take more than a casual read, but much of its data is outside of healthcare.
  • For a cross-reference, we look to the non-profit Privacy Rights Clearinghouse which for many years has been a go-to resource for researchers. PRC’s 2016 numbers are lower, substantially so in the number of records: 301 breaches and 4 million records.
  • HIMSS and Healthcare IT News insist that ransomware is under-reported, (more…)

Hospitals should ‘wash their hands’ of older medical devices, OS: expert

Our Readers are likely well aware that older medical devices may present a Hacker’s Holiday, but putting a very fine point on it was Kevin Fu, associate professor of electrical engineering and computer science at University of Michigan, speaking at a Healthcare IT News healthcare cybersecurity forum this week in Boston. Mr Fu pointed out that many hospitals are actively using old devices and old PC systems; one local hospital had 600 supposedly unpatched Windows XP (!) boxes deployed. Older medical devices were not designed with security in mind, which he likens to basic sanitation:

“If you’re using this old software, these old operating systems, you’re vulnerable to all that malware – that garden-variety malware – that has been out in the wild for more than 10 years.” and “This is not rocket science; this is basic hygiene. This is forgetting to wash your hands before going into the operating room. Here we have medical devices where, if malware gets through the perimeter, there is very little defense.”

The press has been concentrating on the big breaches and external hacking (they do make good copy–Ed.), and we’ve expended a lot of air on things like the EHR Wars, but the real threats are more mundane, as Ponemon and others in the field have warned for years. Software updates and infected USB flash drives can spread malware. A vendor can be a regular Typhoid Mary unintentionally corrupting systems and devices down the line.  (more…)

How insecure can health data get? Very.

Gigaom is one of our go-to sites for enthusiastic whiz-bang health gadget coverage (and more), but here’s the downside of all those devices: all that data. And it’s not only not secure, but also getting more insecure. Grégoire Ribordy of Swiss encryption company ID Quantique makes some key (and scary) points on the data breaches looming–and he doesn’t mention that block of Swiss cheese Healthcare.gov once:

  1. One-stop storage for your total health records and data, an idée fixe among government and single-payer theoreticians, just makes it one-stop-shopping for hackers.
  2. Richer health data means more to steal and exploit.  There’s also the illegal use of genetic information for employment discrimination–hard to enforce regulations, easy to misuse personal data.
  3. Biological crime isn’t just a future plot of ‘Law & Order.’ Criminals can target patients with specific conditions–or healthcare workers can make money on the side by supplying accident victim data to personal injury attorneys, as recently happened in NY. For prominent people, their sensitive health information can be leaked to the press for profit. (more…)