Hackers do not always target retail
stores and banks; they also target hospitals. By doing so, they can obtain a
significant amount of extremely sensitive information.
New research examines the information that may leak during hospital data breaches.
Recent
research identifies what types of information hackers steal during a hospital
data breach.
Researchers
from Michigan State University (MSU) in East Lansing and Johns Hopkins
University in Baltimore, MD, revealed what types of data leak from secure servers
during hospital data breaches. They published their study in the Annals of Internal Medicine.
This
type of data breach can have severe consequences for the people whose
information the hackers obtain says John (Xuefeng) Jiang, lead author and MSU
professor of accounting and information systems. He adds that it is not always
financial fraud or identity theft that happens as a result. It can also lead to
the misuse of sensitive, medical information.
Potential for fraud, identity theft, and more
"The
major story we heard from victims was how compromised, sensitive information
caused financial or reputation loss," says Prof. Jiang. "A criminal
might file a fraudulent tax return or apply for a credit card using the social
security number and birth dates leaked from a hospital data breach."
This
is the first research that has revealed details on the types and amount of
public health information obtained through hacking incidents. The researchers
estimate that the 1,461 data breaches that took place over 10 years from 2009
to 2019 impacted 169 million people.
To
identify what data was at risk, researchers divided information into one of
three categories: demographic information, which includes names and email
addresses; financial information, including date of service, billing amount,
and payment information; and medical information, which includes items such as
diagnoses and treatment.
The
study authors broke down demographic information further by categorizing social
security numbers and birth dates into "sensitive demographic
information," and financial information, which included payment cards and
banking details, into "sensitive financial information."
These
categories are ripe for exploitation from those who want to commit identity
theft or financial fraud.
Knowing the target is a key part of the battle
For
compromised medical information, the researchers placed specific diagnoses and
treatment options in a "sensitive medical information" category.
These included HIV status, sexually transmitted diseases,
substance abuse, mental health, and cancer. These had the potential for severe
privacy violations for the people involved.
Around
70% of the data breaches involved sensitive demographic or financial
information. This means that identity theft and financial fraud may be the goal
of the majority of those who hack this sort of information.
However,
20 of the data breaches compromised sensitive medical information, which
affected around 2 million people.
"Without
understanding what the enemy wants, we cannot win the battle," says Ge
Bai, associate professor of accounting at Johns Hopkins Carey Business School
and Bloomberg School of Public Health. "By knowing the specific information
hackers are after, we can ramp up efforts to protect patient information."
Future steps and implications of the study
Those
involved in this study recommend that regulators, such as the Department of
Health, make an effort to formally collect the types of information that leak
out during a data breach and inform the public.
They
say this will help those affected asses potential damages. Also, institutions
that have limited resources could take steps to limit the amount of information
accessible to a possible data breach. For example, they could store financial
and demographic information on different servers.
The
researchers say that another area of concern involves the Department of Health
and Human Services and Congress. The organization has recently introduced new
rules to encourage more data sharing. According to the researchers, data
sharing has the unfortunate side effect of increasing the risk of data
breaches.
Plans
are already in place, though, for Prof. Jiang and Bai to work with lawmakers
and organizations to ensure personal information is as safe as possible.
No comments:
Post a Comment