How Do Consumers Feel About Health Data Protection?

Cybersecurity company Morphisec recnetly published the results of a survey on healthcare cybersecurity from the viewpoint of over 1,000 consumers. Questions were asked about the healthcare threat landscape, the way personal health data is being targeted, and how they feel about the protection of their health data.

The change from paper to electronic health records improved patient care efficiency by allowing easier sharing of health information. However, there are vulnerabilities introduced that hackers can exploit.

Morphisec remarks that the rate of cyberattacks on the healthcare industry is double the rate in other industries. Since 2009, there were over 190 million healthcare records exposed or stolen, that is equal to 59% of the U.S. population. Yet 54% off consumers did not know that their providers have suffered a data breach. 40% said they know there was no breach that occurred and only 6% mentioned one of their healthcare providers were affected. HIPAA requires the issuance of breach notifications to consumers in case of a health records breach. But it seems that many consumers are not notified.

Regarding the question on who is responsible for securing health data, 51% of respondents said it was a joint responsibility of the providers and consumers. 29% said only the provider is responsible for it and 8% said it was the consumers’ own responsibility.

Since healthcare providers now provide patients copies of their health information or access to it through patient portals, many consumers feel they are responsible for protecting the health data they share. In the past year, the use of patient portals increased by 14%. Regarding the security of stored data, 55% of respondents said it is more secure when kept by providers. 45% said it is more secure on personal electronic devices. There is no clear input from the consumers regarding

  • their confidence in their providers to protect data,
  • the likelihood of a cyberattack on a provider or on them personally
  • the difference between their own security defenses or their providers’

What is very clear is the agreement of consumers to address the weak links. 21.4% of respondents think web browser protection was the weakest link in security. 21% think endpoint defenses was the weakest point, 20% think it was email phishing defenses and another 20% think it was patient portal defenses. Only 13.8% think medical device security was the weakest point.

Under HIPAA, healthcare organizations need to employ security measures to protect health data privacy. Providers that fail to implement appropriate defenses may be issued heavy fines in case of a data breach. The healthcare industry has indeed improved the standard of security since the introduction of the HIPAA, but many healthcare organizations only implement the minimum required security defenses for HIPAA compliance.

HIPAA compliance help reduce security risks, it does not guarantee that cyberattacks will be thwarted or hackers will be dissuaded. Many healthcare organizations stop improving their defenses after meeting the minimum HIPAA requirements for cybersecurity defenses. That isn’t enough protection against advanced and zero-day attacks from FIN6 and other innovative attackers.

A number of stakeholders have recommended establishing a safe harbor for healthcare providers who satisfy HIPAA security standards to make sure they are immune from monetary fines. With that in place, it is believed that healthcare organizations would be willing to invest more on cybersecurity defenses.