Malicious hacking poses a grave threat to healthcare providers, and the likelihood of being targeted may be increasing in coming years, according to an audit by technology security firm Redspin.
Hacking-related incidents represented about 6% of all reported healthcare data breaches from 2009 to January 2013, but that figure is projected to grow, Redspin researchers said.
"We expect that the low incidence rate of hacking during the past few years was the calm before the storm," according to the report. "Personal health records are high value targets for cybercriminals as they can be exploited for identify theft, insurance fraud, stolen prescriptions, and dangerous hoaxes."
The researchers called on healthcare providers to "up their game" in terms of security defenses for sensitive records, pointing to the high-scale theft of medical records from the Utah Dept. of Health.
Last year criminal hackers from Eastern Europe exposed around 780,000 patient medical records, including social security numbers and other personal information, from a database of Medicaid and Children’s Health Plan recipients. The incident, the largest healthcare data breach of 2012, resulted in the firing of the state IT director, according to the report.
The state further responded by proposing a new bill that would require certain security "best practices" are put in place, mandating an audit of the state health department’s security every 2 years.
Redspin researchers noted that the overall health security outlook had improved from 2010 to 2012, with fewer incidents reported and fewer patient records exposed, but the number of "large" breaches, defined as those affecting 500 individuals or more, had increased nearly 21%.
In total the report noted 538 reported breaches of protected health information from August 2009 to January 2013, exposing a total of more than 21.4 million patient records. About ⅔ of those incidents involved theft or loss.
The breaches represent a risk to patients and to healthcare institutions, but Redspin researchers noted another victim: electronic medical records.
"Data breaches can cause significant financial harm, reputational damage, and loss of consumer confidence. In healthcare, that risk is not limited to an individual hospital or business associate," the researchers noted. "It is an industry-wide threat to the continued adoption of electronic health records – the foundation for improving cost efficiency, care delivery, and patient outcomes within the U.S. healthcare industry."