In the aftermath of the media's whirlwind coverage of the recent uncovering of the NSA surveillance program and the U.S. government's attempts to convince major corporations to share user information, many people have viewed the security of their personal information with renewed interest. Most of that focus, however, has been on protecting sensitive data from massive corporate entities such as Google or Microsoft. Meanwhile, many individuals remain unaware that other institutions that they otherwise might deem trustworthy could be placing their personal information in danger of being accessed by hackers. One of the main offenders in this regard has been the healthcare sector.
A recent study on cybersecurity in the healthcare industry found that many facilities have failed to employ proper defenses to prevent patient information from being stolen or compromised. According to researchers, 39 percent of the survey participants admitted they had no response plan in place in the event of a data breach. Despite legislation such as the Health Insurance Portability and Accountability Act and the possibility of receiving substantial fines for failing to comply with federal regulations, many organizations do not appear to be taking the cyberthreat seriously.
As a result of this lackadaisical approach to cybersecurity, 94 percent of respondents said they had suffered a data breach over the course of the preceding two years. One of the factors that medical personnel should take into account when considering their network's vulnerabilities is how enticing medical patient information can be to hackers. Stolen medical records can be flipped for much greater profit than personal information such as Social Security numbers. By some accounts, a cybercriminal can make $20,000 on average from a single medical identity theft incident. Also, it may take longer for victims to realize that their medical information has been compromised. This means that hackers can continue to profit from a single medical record for a longer period of time than from a person's Social Security number.
Surge of data breaches in California
The combination of lax cybersecurity practices and the presence of a highly desirable target has created conditions conducive to medical data breaches. For instance, healthcare facilities across the state of California have reported numerous incidents over the past several months. The breaches reflected a discouraging lack of preparation on the part of hospital personnel to properly secure patient information. In some instances, thieves were able to simply steal hospital computers that stored thousands of patient records. One official stated that because his organization had a policy against the storage of patient data on local hard drives, administrators had not taken additional steps to secure that information.
Two of the more severe breaches that were reported occurred at the same hospital mere months apart. Lucile Packard Children's Hospital at the Stanford University School of Medicine suffered a major data breach when thieves stole a computer containing data belonging to approximately 57,000 patients. Several months later, thieves took another device off hospital grounds, compromising nearly 13,000 additional records. Administrators vowed that they would take major precautions to bolster security in the future.
Securing medical workstations
The main concern highlighted by these incidents is the almost careless manner in which some healthcare facilities store and access patient information. Medical records contain a great deal of sensitive data including illnesses, treatment regimens and test results. Hospital administrators should deploy an array of resources to protect this information, including system restore and recovery utilities. Medical personnel can prevent hackers from accessing patient data by implementing system restore processes across their workstations. System administrators can configure networked environments to reset their machine configurations after each session. This way, if patient data is erroneously accessed or stored on the wrong device, that information will be removed once the user has logged off.