CI Security has released today its healthcare data breach report, which analysed data from the US Department of Health and Human Services (HHS). The analysis found that healthcare breach reports in the first half of this year were down 10.4% compared to the second half of 2019, with the number of breached records falling by nearly 83%.
Cybersecurity experts were rather skeptic of the figure, and rather than rejoicing at cybercriminals having taken a break from targeting healthcare organisations during a pandemic, offered a less reassuring explanation.
Robert Meyers, Channel Solutions Architect and Fellow of Information Privacy at One Identity, said underreporting is the likely culprit:
It is safe to suspect that this decrease might be due to lower reporting. The reason is simple, the world changed. The COVID-19 outbreak changed the way organisations work, and shifted everyone’s priorities. Organisations had to move people to work from home at a breakneck pace, and it is no secret that security and privacy were not high on the list of priorities. Many organisations expected reduced enforcement of breaches during the time, and some still do. So, while things may have calmed back down and organisations may have settled into their new, remote working set-up, we can expect a rise in breaches reported in the second half of the year, and an artificially low number in the first half of the year. Remember, we are still dealing with this forced “digital transformation.
Warren Poschman, Senior Solutions Architect, comforte AG, explain why it’s so challenging for healthcare operators to secure data:
The healthcare industry may be the most vulnerable of all industries to cyber attacks. It’s about the data healthcare operators have access to. The security challenge for healthcare operators is extremely difficult, especially when data is stored in different locations and accessed through various technologies. However, we may be seeing a shift in approaches from ‘secure the technology,’ to ‘secure the data,’ which will reduce the threat of data loss and exposure when (not if) a cyber-attack happens. While it is not always possible to prevent malicious access, sophisticated data protection is a must when processing and storing sensitive information – especially PII and healthcare records. These are core requirements of data privacy regulations like HIPAA and GDPR and here might be fines coming up for this.