Breaches like Molina Healthcare's show why you can't skimp on security

Complacency is not an option where malicious individuals can take advantage of application and infrastructure vulnerabilities to access protected health info.
By Bill Siwicki
02:06 PM
healthcare breaches 2017

The healthcare data breaches just keep coming.

For example, Molina Healthcare, a Medicaid and Affordable Care Act insurer, shut down its patient portal recently in response to a security flaw that exposed patient medical claims data without requiring authentication, according to security researcher Brian Krebs. Krebs was first made aware of the security flaw in April through an anonymous tip, which could allow any Molina patient to access other patients’ medical claims by simply changing a single number in the URL. Even worse – no authentication was required to access patient claims information online.

“We often focus on elaborate cyber-threats like the Wannacry ransomware that recently wreaked havoc on organizations around the world, but the fact remains that many organizations lack basic security,” said Nat Kausik, CEO of Bitglass, a cybersecurity vendor that specializes in cloud security. “This is especially true in the heavily regulated healthcare industry. Molina Healthcare is just one example of an IT oversight that led to massive exposure of protected health information. In the case of Molina Health, the breach went unreported and the flaw unidentified for some time.”

[Also: Healthcare Security Forum accepting call for proposals through June 1]

Bitglass’ “2017 Healthcare Breach Report” highlights HHS data that shows 328 reported data breaches in healthcare in 2016 – 130 due to unauthorized disclosure, 113 due to hacking or an IT incident, 78 due to loss or theft, and 7 due to other reasons. The report goes on to highlight 71 data breaches in the first quarter of 2017 – 29 due to unauthorized disclosure, 20 due to hacking or an IT incident, 20 due to loss or theft, and 2 due to other reasons.

“Bitglass found that the volume of leaked records in healthcare fell in 2016 and was on track to fall further in 2017,” Kausik said. “However, the number of breaches in the healthcare industry in 2016 hit an all-time high. 328 U.S. healthcare firms reported data breaches in 2016, up from 268 in 2015, according to HHS data. Hacking and IT incidents like the Molina Health flaw are the leading cause of breach events and continue to pose the greatest risk to healthcare organizations.”

[Also: The biggest healthcare breaches of 2017 (so far)]

These breaches also are incredibly costly – the average cost per leaked record for healthcare firms topped $402 in 2016, according to the Ponemon Institute.

“Healthcare organizations are major targets and will see any and all flaws exploited by malicious individuals,” Kausik said. “As healthcare organizations make patient data more accessible to individuals and new systems, they must make information security their top priority.”

Security has become among the top priorities for healthcare firms across the nation; complacency is not an option where malicious individuals can take advantage of application and infrastructure vulnerabilities to access PHI, Bitglass’ “2017 Healthcare Breach Report” concluded.

“While the threat of data leakage will always exist, IT departments can stay a step ahead with respect to data security,” the report said.

Twitter: @SiwickiHealthIT
Email the writer:

Like Healthcare IT News on Facebook and LinkedIn