- Alan Mozes
- Posted September 24, 2019
What Do Hospital Cyber Attackers Want to Know About You?
Cyber attackers who target hospital databases mostly go after patient contact and financial information, not medical records, a new study finds.
The data that hackers seek could lead to identity theft and financial fraud, according to investigators from Michigan State University in East Lansing, and Johns Hopkins University in Baltimore.
Moreover, this is the focus of more than 70% of hospital cyber attacks, the researchers said.
Reporting in a pair of studies in the Sept. 23 issue of the Annals of Internal Medicine, the study authors noted that only 2% of hospital breaches ultimately accessed patient medical records.
"The major story we heard from victims was how compromised, sensitive information caused financial or reputation loss," lead author John (Xuefeng) Jiang said in a Michigan State news release.
"A criminal might file a fraudulent tax return or apply for a credit card using the Social Security number and birth dates leaked from a hospital data breach," he added.
Jiang is a professor of accounting and information systems at Michigan State.
He and his colleagues reviewed more than 1,460 hospital data breaches that occurred across the United States over the last decade. Roughly 169 million patients were affected.
The breaches fell into three categories of information: names and contact information; financial data; and medical records.
Two million people had their personal health information stolen, amounting to just 2% of the breaches, the findings showed.
By comparison, all of the cyber attacks targeted at least one piece of contact information. And more than seven in 10 targeted either sensitive contact or financial records, including names, email addresses, bills, credit cards, Social Security numbers, driver's licenses and birth dates. Hackers can use this kind of information to commit identity theft or financial fraud.
The investigators suggested that perhaps hospitals should be required to reveal exactly what type of information is stolen following a data breach.
Study co-author Ge Bai said, "Without understanding what the enemy wants, we cannot win the battle. By knowing the specific information hackers are after, we can ramp up efforts to protect patient information." Bai is an associate professor of accounting at Hopkins Business School and the Bloomberg School of Public Health.
There's more about patient information and security at Privacy Rights Clearinghouse.
SOURCE: Michigan State University, news release, Sept. 23, 2019