Healthcare information breaches continue to rise
One of the biggest threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber attacks on electronic health information systems, such as ransomware.
This is according to Jocelyn Samuels, director of The Health and Human Services Office for Civil Rights, speaking on the back of the release of the fourth annual data Breach Industry Forecast report from Experian.
According to the report, personal medical information remains one of the most valuable types of data for attackers to steal, and cyber criminals will continue to find a market for reselling this type of sensitive information on the dark Web.
The report states there were 181 reported healthcare breaches globally in 2016, ranging in size from 500 to 3.6 million affected individuals.
Wayne Clarke, MD of Metrofile Records Management, a group company of JSE-listed Metrofile, says the move by healthcare organisations to electronic records management (ERM) systems is creating the risk of data breaches.
"Healthcare organisations using an ERM system need to realise that sensitive and confidential information can be travelling with their employees wherever they go. A breach in data does not always occur as a result of a hacking attack, but can happen when an employee's electronic device gets stolen or as a result of something as simple as the misplacement of a USB stick."
Clarke adds the value of healthcare data is that it contains "highly confidential information that can be used for medical identity theft and fraud. Healthcare organisations need to be aware of the costs involved in crisis management if a cyber breach or systems failure occurs".
IBM's 2016 Cost of Data Breach study found the healthcare industry had the highest per capita data breach cost. It noted the average per capita cost of data breaches in SA in 2015 was $1.87 million, further stating South African companies had the highest percentage of human error data breaches, and that SA and Brazil are the countries with the highest estimated probability of occurrence.
Paul Williams, country manager of Southern Africa at Fortinet, says the most vulnerable point in a security framework is the users accessing and handling data on a daily basis.
"Whether it is data loss as a result of a phishing scam, hacked devices brought in from the outside or general carelessness when accessing sites or apps while on the network, there are a number of different ways employees can jeopardise patient data. Employee awareness is critical; executives and directors should lead by example and be a model for the rest of the organisation. Companies can also regularly schedule data training and education sessions throughout the year to provide the latest security trends to the organisation and to remind everyone that protecting data is everyone's responsibility."
Although employee awareness is essential, organisations should have adequate cyber security solutions in place, Williams stresses. "Evaluating the data security systems and processes in place should be a recurring process. This is essential, as changes in healthcare networks and the threat landscape often happen at a rapid rate. The healthcare industry is in the midst of a technological transformation with the goal of improving patient care, and IT needs to be ready to support this progression," he noted.