Healthcare data breaches up but fewer records at risk
- Gaps in cybersecurity continued to hound the healthcare industry in 2017, with a total of 477 reported incidents — up from 450 in 2016, according to a new report by Protenus and DataBreaches.net. The report predicts the trend of at least one breach a day will continue this year.
- At the same time, the number of affected patient records declined more than five-fold from 27.3 million in 2016 to 5.6 million last year. Overall, 80% of the reported breaches involved healthcare providers, 12% involved health plans and the rest involved another type of covered entity.
- Insiders were responsible for more than a third of all breaches in 2017. The single biggest breach involved a hospital employee who wrongfully accessed the billing information of 697,800 patients.
Reports of ransomware and malware attacks also rose sharply, from 30 incidents in 2016 to 64 in 2017 — an increase the report says could reflect Office for Civil Rights guidance on how to respond to a ransomware attack. There were also 58 breaches involving theft and 18 involving lost or missing records. Forty-seven incidents lack sufficient evidence to classify them.
While the industry detected more breaches last year, it also took longer to discover them — 308 days versus 233 days in 2016. The delay is partly due to the number of reported breaches that occurred years earlier, the report says. Insider incidents took the longest to detect, with one insider incident continuing for 14 years before being discovered.
“To see continued improvement in detection and reporting in 2018, healthcare leaders will need to build upon the progress made this past year by comprehensively auditing every access to the EHR to ensure threats to patient privacy are proactively detected and mitigated,” the report says.
Healthcare organizations are a choice target for cybercriminals because of the wealth of patient health and financial information in their systems. Just earlier this month, ransomware temporarily shut down computers at Indiana-based Hancock Health and Coplin Health System in West Virginia revealed 43,000 patients’ information may have been compromised when an unencrypted laptop was stolen from an employee’s car.
EHR vendor Allscripts experienced a ransomware attack on its cloud-based applications this month. The recovery is still in progress.
Cybersecurity experts stress the need for stronger authentication and procedures around computer access and use. For example, studies have shown that health workers often share EHR passwords, putting patients’ personal information at risk. To prevent breaches, OCR has urged healthcare organizations to beef up their electronic authentication methods and conduct enterprise-wide risk analyses to identify cyber vulnerabilities and how different types of breaches could impact their operations. The office also put organizations on notice for smaller breaches, directing its regional offices to step up investigations at their discretion.
Healthcare organizations appear to be taking those warnings seriously. In a HIMSS survey, 71% of respondents said their organization budgets for cybersecurity and nearly two-thirds of those said the allotment is at least 3% of the overall budget. However, a recent Black Book Market Research survey found only 15% of hospitals have a C-suite leader in charge of cybersecurity, and just 11% plan to appoint one in 2018.
Vincent Weafer, vice president of cybersecurity firm McAfee Labs, says organizations need to invest more in security talent to help thwart breaches before they occur. “As much as we talk about the latest technology and trends and complexity … it really is about finding the basic doors unlocked, the windows which have been not fully closed in the environment,” he told Healthcare Dive in October. “That’s what threat hunting is all about—trying to find those risks and mitigate them and bring them down as quickly as possible.”