Just how bad can data privacy negligence by healthcare professionals be?
Data privacy in the healthcare industry remains a constant struggle today. While the industry has always implemented new technologies to help healthcare professionals deal with patients, most health professionals are still unsure about handling patient data.
Today, most hospitals have doctors using tablets to get access to patient data and write reports. AI-based scanners and IoT sensors are also used to help provide patient diagnostics as well, especially for some medical cases.
When the COVID-19 pandemic reached its peak, hospitals were having to deal with a massive amount of patients. The amount of data generated was crucial in providing insights on how they can cater to patients, as well as in providing the best treatment for them.
Healthcare institutes and hospitals soon began embracing health data management platforms to manage the high volume of data. Governments continue to mandate and support healthcare IT solutions, especially in the use of big data analytics. The global population health management market is expected to reach US$46.7 billion by 2026 as well.
However, with high amounts of data being circulated, the hospital soon became a target for cybercriminals. According to the Ponemon Institute and Verizon Data Breach Investigations Report, the health industry experiences more data breaches than any other sector.
Higher demand for healthcare data
Today, Personal Health Information is more valuable on the black market than credit card credentials or regular Personally Identifiable Information. With higher demand for such data, cybercriminals are targeting medical databases.
According to the Health Insurance Portability and Accountability Act (HIPAA) Journal, between 2009 and 2020, 3,705 healthcare data breaches of 500 or more records have been reported. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 268,189,693 healthcare records. That equates to more than 81.72% of the population of the United States,
In Southeast Asia, Singapore experienced its worst healthcare breach in 2018 when hackers stole the personal information of 1.5 million patients. The hackers infiltrated the computers of SingHealth, Singapore’s largest healthcare institution group. Cybercriminals had accessed non-medical personal data, including names, addresses, gender, race, and dates of birth.
Statistics also show that East Asia saw a 137% increase in healthcare cyberattacks in the first half of 2021 alone. The healthcare cybersecurity market is also witnessing an uptick in IoT medical devices that are now connected to the network to help doctors, nurses, and support teams provide critical care services for patients.
With the increased use of technology in healthcare, the industry is expected to see cybersecurity spending reach US$125 billion by 2025. But is this enough to protect healthcare data from cybercriminals?
Ransomware, email compromise, unsecured databases continue to be the main culprits of the breaches in healthcare. However, breaches in healthcare also occur from third-party breaches or managed service providers. An analysis from cybersecurity provider Tenable showed that third-party breaches accounted for over a quarter of the breaches tracked and accounted for nearly 12 million records exposed.
Be it breaches by ransomware or third-party, healthcare data is very much at risk. While large healthcare institutions and hospitals may improve their cybersecurity protection, smaller hospitals, clinics, and such are still very much exposed and can serve as entry points for cybercriminals.
Understanding data privacy
According to Sriram Narayanan, Principal Consultant for Security at Thoughtworks SEA, “medical professionals are trained to treat patients. Their training does not involve how to deal with data privacy and such. In the past, medical records were kept in cabinets. Today, most of these data are stored in the cloud. The risks are greater but most medical practitioners are not aware of this.”
A lack of awareness on the importance of patient data and data privacy is still lacking among healthcare professionals. In many cases, negligence in handling data in healthcare, like leaving patient data exposed, unsecured transfer of data between departments, and such are the contributing reasons to data breaches in healthcare.
“We need to educate the medical profession on what privacy and confidentiality are and what it represents in the world of online reports. It does not matter if it’s a government or private healthcare facility, without understanding the importance of patient data, the likeliness of a facility being hacked is higher,” said Sriram.
Taking privacy likely would also mean exposing patient data to other vulnerabilities as well. For example, some of these data may contain sensitive information that may not be comfortable is seen by others. Accessibility of medical reports that are not monitored may also lead to patient data being accessed by those with bad intentions.
Sriram pointed out that privacy and resiliency should be a priority in healthcare today. CIOs and CTOs in healthcare institutions should make the right decisions in cybersecurity resiliency. They should not wait for a reactive solution but be more proactive. They need to be aware of the regulations in place, especially when it comes to data privacy.
“Will they pay attention to it in the future? That’s a question we will have to wait and see. Life as of 2019 may not come back in the next 20 years, but everyone will strive for it. With more variants and such from the pandemic, we may strive towards new normal. My apprehension is, will privacy then take another pass?” commented Sriram when asked about the state of cybersecurity post-pandemic.
As Sriram puts it, as the healthcare industry continues to add more cybersecurity measures, it is vital for medical practitioners to also take patient data privacy seriously as it could lead to more repercussions.