In a new study, researchers at Michigan State University have examined the type of data that was leaked by hackers during hospital breaches. In doing so, the researchers have gained a better understanding of what explicit data was leaked, as well as to how to better safeguard it in the future from future attacks.
There's a lot of information that hackers can steal from your hospital record. Between 2009 and 2019, there were 1,461 hospital-related data breaches, affecting nearly 170 million people.
Some of the victims have reported that having their sensitive information exposed by hackers led to financial losses and hurt their reputation. For instance, cyber criminals can use a victim's social security number or date of birth to file for a phony tax return or apply for a credit card.
Xuefeng Jiang, a professor of accounting and information systems, along with colleagues, undertook the massive task of classifying the type of data leaked by hackers. This is important because it provides a broader picture of the kind of potential damages incurred by healthcare data breaches.
With the help of Ge Bal, associate professor of accounting at Johns Hopkins Carey Business School, Jiang classified the leaked data into three main categories: demographic (names, e-mails, addresses), financial (service data, billing amount, payment info), and medical information (diagnoses, treatments).
"We further classified social security and driver's license numbers and birth dates as sensitive demographic information, and payment cards and banking accounts as sensitive financial information. Both types can be exploited for identity theft or financial fraud," Jiang said. "Within medical information, we classified information related to substance abuse, HIV, sexually transmitted diseases, mental health and cancer as sensitive medical information because of their substantial implications for privacy."
The researchers found that 70% of the data breaches involved sensitive demographic or financial information, which could be exploited for identity theft or financial fraud. Around two million people were affected by breaches comprising sensitive health information.
By knowing exactly what kind of data has been leaked and how many times, hospitals and healthcare services could be better equipped to protect their patients' sensitive information. The researchers recommend, for instance, that hospitals implement separate systems to store and communicate patient records.
Very recently, the US Department of Health and Human Services and Congress proposed rules that would encourage more data sharing, making breaches more likely. Jiang and Bai are planing to avoid these sort of poor practices by publishing a practical guide for lawmakers and industry.
"Without understanding what the enemy wants, we cannot win the battle," Bai said. "By knowing the specific information hackers are after, we can ramp up efforts to protect patient information."
The findings appeared in the journal Annals of Internal Medicine.
