HITRUST Says Healthcare Industry Can’t Protect its Data


The latest report from the Health Information Trust Alliance  sheds new light on the state of cybersecurity in the healthcare industry. HITRUST’s statistics suggest that while the some progress has been made in the past few years, the industry as a whole is not yet equipped to properly ensure patients’ privacy.

The organization says that the industry experienced 495 breaches since 2009. Over 21 million records have been compromised as a result, amounting to estimated loss of $4 billion.

Physician practices with less than 100 workers accounted for over 60 percent of these breaches, a statistic HITRUST attributes a shortage in the necessary skills needed to protect patient data. This is to say smaller practices don’t normally have an IT department, but it goes beyond that as well: paper records comprised 24 percent of healthcare breaches since 2009.

Surprisingly, theft, loss, and unauthorized access accounted for the overwhelming majority of incidents. HITRUST blames a mere eight percent on hacking and malware:

“Data we receive from other sources strongly indicates that U.S. healthcare organizations of all types are experiencing data loss due to viruses, attacks by cyber criminals, password sharing by clinicians, and the prevalence of vulnerabilities in electronic health record (EHR) technologies that are not communicated,” said Nutkis.

Institutional providers also remain vulnerable. While the number of reprted incidents declined by over 70 percent in 2010 and only 14 breaches were reported in the first half of 2012, 54 percent of healthcare organizations participating in the survey had little to no confidence in their ability to detect all data loss or theft.

The successful attack on Utah healthcare administrators earlier this reflected this stark reality. In April, the Utah Department of Technology Services and the Utah Department of Health revealed that Eastern European hackers got their hands on the personal information of nearly 200,000 patients.