Another week, another data breach in healthcare.

This time, Massachusetts General Hospital had data stolen in a sector that continues to provide inadequate protection for patient data.

First disclosed on Thursday, the hack involved the records of some 9,900 research patients at the hospital by an “unauthorized third-party” on two computers used by Neurology researchers at the hospital. The data theft occurred between June 10 and June 16.

The data stolen included names, dates of birth, medical record numbers and medical histories. Social Security numbers and financial information were not disclosed the hospital noted.

“As soon as MGH discovered this incident, it took steps to prevent further unauthorized access and restore the affected research computer applications and databases,” the hospital said in a statement. “MGH also engaged a third-party forensic investigator to conduct a review and has contacted federal law enforcement as a precaution. MGH continues to review and enhance the security processes in place for its research programs.”

That research data was targeted may be of specific interest as it comes as a new report from FireEye Inc. claims that research data is being continually targeted by multiple attackers, including those from China.

There’s also some suggestion, albeit speculative, that the data was stolen via an outside provider. As HeathcareITNews reported, a previous breach at the hospital in 2016 involved data stored by an outside provider and access via unauthorized individuals.

Ben Goodman, senior vice president of global business and corporate development at identity and access management firm ForgeRock Inc., said that the healthcare industry was victimized by 363 total breaches in 2018, according to findings from the Identity Theft and Resource Center and as a result, nearly 10 million total records were exposed.

“Hospitals are a prime target for threat actors as patients’ protected health information can easily be sold on the dark web and used to commit fraud, access medical care in the victims’ name, and used in highly targeted phishing attacks,” Goodman explained. “PHI also has a much longer shelf life compared to other types of data, like credit cards which can be easily canceled and rendered useless.”

Goodman added that it’s imperative that healthcare providers leverage security strategies and tools that prescribe real-time, contextual and continuous security that detects unusual behavior and prompts further action, such as identity verification.

A study from cloud-based email management firm Mimecast Ltd. in February “found a higher false-negative rate for email-borne attacks (malicious emails that are getting through organizations’ existing email defenses) for healthcare organizations as compared with a broad cross section of the other industries,” a spokesperson for the company said.

The sector was found to be the most vulnerable and with the fewest security defenses with incidents similar to what happened at MGH frequently beginning with an email attack that tricks or misleads employees. One in every 350 emails sent to healthcare professionals was found to be impersonations meant to trick them into giving away confidential information or further private access, while one in every 3741 emails sent to healthcare professionals contains malware.

“This is but one indication that healthcare organizations, in general, have a way to go before their security controls meet the effectiveness of other industries,” Matthew Gardiner, cybersecurity strategist at Mimecast told SiliconANGLE.

Photo: Wikimedia Commons