Monthly Archives: May 2024

The ‘protected health information’ crisis in healthcare

The PHI crisis in healthcare is putting patient safety and privacy at risk. Healthcare organizations represented in this research experienced an average of 74 cyberattacks in the past two years and almost half of respondents (47 percent) say these cyberattacks resulted in the loss, theft or data breach of PHI. Over the past two years, the cost to detect, respond and remediate PHI cyberattacks was $2.6 million and another $1.6 million was spent to hire staff, paralegals and technologies to determine the cost to patients.

Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and was created, used, or disclosed when providing a health care service such as diagnosis or treatment.

The purpose of this research, sponsored by Tausight and independently conducted by the Ponemon Institute, is to understand the challenges healthcare organizations face in securing PHI data. Ponemon Institute surveyed 551 US IT and IT security practitioners who are in the following healthcare organizations: hospitals (37 percent of respondents), healthcare service providers (23 percent of respondents), clinics (21 percent of respondents) and healthcare systems (19 percent of respondents). The primary responsibilities of respondents are managing IT and IT security budgets, assessing cyber risks to PHI, setting IT or IT security priorities and selecting vendors and contractors.

Healthcare organizations’ ability to protect patient PHI is in critical condition. Organizations are losing control of the risk because of the lack of visibility into the enormous amount of PHI outside EHR. There are two serious root causes of the PHI crisis. According to 58 percent of respondents, their organizations are unable to determine how much PHI exists outside of EHR, where it is and how it is being accessed. And Fifty-five percent of respondents say their organizations are at risk because of the excessive presence of PHI across their data centers, endpoints and email accounts. On average, organizations have 30,030 network-connected devices.

Findings that illustrate the PHI crisis in healthcare 

  • Organizations lack the budget to invest in PHI protection technologies (52 percent of respondents) and the ability to have the necessary expertise to manage PHI protection technologies (48 percent of respondents). 
  • Current legacy technologies have difficulty protecting the enormous amounts of PHI across our systems (66 percent of respondents) and identifying PHI on servers and endpoints to understand what to put in organizations’ secure storage (69 percent of respondents).
  • Migration to the cloud and collaboration tools have increased risks to PHI (52 percent of respondents).
  • The level of security risk to PHI created by remote care and accessing or transmission of PHI outside the firewall is very high, according to 57 percent of respondents.
  • Current technologies are not improving visibility into PHI outside EHR. As a result, only 39 percent of respondents say their organizations have a high ability to detect and classify unstructured data and only 47 percent of respondents say their organizations have a high ability to detect and classify structured data wherever they exist throughout the expanding digital environment.
  • Only 30 percent of respondents say their organizations have significant visibility into PHI located in the data center and endpoints where it is exchanged between doctors’ and patients’ systems or applications.
  • Most organizations say DLP and DSP software are not effective in improving visibility into PHI on endpoints, networks and in the cloud and providing visibility into data movement of PHI.
  • Once organizations have a PHI data breach, 71 percent of respondents say it very difficult to assess how many patients were affected by the breach and almost half of respondents (47 percent) say their organizations are likely to overreport the number of patients affected because of the difficulty in determining the device or server that was compromised.
  • The negative consequences of a PHI data breach are exacerbated because it can take an average of more than two months to recover, remediate and assess the impact to PHI and to be able to disclose the breach and notify affected patients.
  • Insiders put PHI data at risk. The most frequent types of insider negligence are accessing PHI on uncontrolled devices and accessing hyper-connected endpoints on networks and varying IT security standards. Other frequent incidents are sending emails with unencrypted PHI and moving PHI to an unknown USB drive and data is lost.

Click here to to watch a webinar about these findings with Larry Ponemon and David Ting — CTO and Co-Founder of Tausight, which helps healthcare organizations protect data.

When fraud turns fatal — Uber driver shot after ‘grandparent scam’ call

Bob Sullivan

When consumers and criminals interact, you just never know how combustible a situation can become. A recent story out of Ohio is a reminder that any scam can get very serious and lead to devastating consequences.

An Ohio man who had been communicating with criminals attempting to commit a “grandparent scam” shot and killed an Uber driver that he said he believed was part of the scam; he has been indicted for murder and pleaded not guilty.

Police say 81-year-old Michael Brock told them he had spent hours talking on the phone with someone who claimed that his nephew was in jail and needed bail money. Brock allegedly believed that Lo-Letha Hall, 61, had come to his house to pick up the money. He accused her of being part of the scam, and when she tried to leave, he fatally shot her.

Local news reports indicate Hall was an Uber driver simply picking up a package for what she thought was a normal delivery.

“Upon being contacted by Ms. Hall, Mr. Brock produced a gun and held her at gunpoint, making demands for identities of the subjects he had spoken with on the phone,” the sheriff’s office said, according to the Associated Press. Hall was unarmed and unthreatening, the sheriff’s office alleges in that story. A video posted on a local news site shows her walking away from Brock as he threatens her with a gun.

“I’m sure glad to see you guys out here because I’ve been on this phone for a couple hours with this guy trying to say to me I had a nephew in jail and had a wreck in Charleston and just kept hanging on and needing bond money,” Brock said to police, according to the Associated Press. “And this woman was supposed to get it.”

According to a memorial page set up for Hall, she was retired.

Whenever I speak in front of cybersecurity and fraud groups, I try to remind them how important their work is. There are plenty of reasons to take cybersecurity and financial fraud seriously — even crimes that might seem like common thefts can turn very serious, or be part of wider conspiracies. Even though it can feel exhausting and at times fruitless, all of us must continue the fight against scams and cybercrime.