Feb. 19—Providers, including hospitals and health systems, were the source of the vast majority of compromised health IT data found in a recent study.

A study by SANS, a cybersecurity research organization, examined samples of a wide range of healthcare entities from September 2012 to October 2013 to identify which ones were leaking compromised data online due to data security compromises. 

The study results, including the identification of 375 compromised U.S. healthcare-related organizations, were “alarming,” wrote Barbara Filkins, senior analyst for SANS and author of the study.

“[The study] not only confirmed how vulnerable the industry had become, it also revealed how far behind industry-related cybersecurity strategies and controls have fallen,” she wrote.

Providers of all sizes were 72 percent of the compromised healthcare organizations. And among the compromised providers found in the sample were “prominent university hospitals,” large health systems, and national provider associations.

One-third of the compromised entities were either individual practices or small groups with fewer than 10 providers, the study found.

Meanwhile, health plans were about 6 percent of compromised entities and pharmaceutical firms were nearly 3 percent of the affected healthcare organizations.

“Many of the organizations sending the traffic are large entities that should have the resources to conduct the basic inventory, assessment, and configuration controls needed to protect their systems from being compromised and used maliciously,” the researchers concluded. “This report, however, shows that the systems were compromised for long periods of time, and even when alerted to their system’s actions, the organizations did not repair the vulnerabilities.”

Wide Impact Seen

Such breaches could affect a range of data, including those in electronic health records (EHRs). And such breaches were expected to accelerate due to the increasing online exchange of health and personal data through EHRs and the public health insurance marketplaces created by the Affordable Care Act.  

The study authors noted that their data illustrate the differences between information security rule compliance and protection of data. For instance, the breached entities were concentrated in California, Texas, New York and Florida, all of which rank among the strictest data security requirements. 

The study urged healthcare organizations to examine the range of ways attackers may access their data, including a focus on remote users. It urged healthcare entities to follow industry best practices for configuring the range of vulnerable systems and monitoring them for abuse.

Publication Date: Wednesday, February 19, 2014