Despite years of warnings and high profile incidents, healthcare sector data breaches continue to roll in, with each year seemly posting bigger numbers than the year before.
The latest data point is a study by the firm Bitglass (note of caution: vendor-sponsored research) that suggests 2016 marked a new high-water mark for healthcare data breaches, at least when measuring the number of discrete incidents.
Bitglass identified 328 breaches in calendar year 2016, surpassing the previous record of 268 set… you guessed it… the year before (2015). Health information on approximately 16.6 million Americans was exposed in those breaches, a slight decrease from prior years, the firm found in its 2017 Healthcare Breach Report.
Unauthorized disclosures of data were the leading cause of breaches, accounting for almost 40 percent of breaches in 2016, Bitglass said. However, hacking related breaches typically resulted in a greater loss of records, with the top five largest breaches all related to hacking and “IT incidents.” In all, 80 percent of leaked records in 2016 were the result of hacking, Bitglass said.
The Bitglass data is consistent with other, recent reports. The recent Verizon Data Breach Investigations Report (DBIR) cited 458 incidents of data breach affecting healthcare organizations, with 296 involving “confirmed data disclosure.” Overall, 15% of breaches involved healthcare organizations, Verizon reported.
There, also, the data suggests that – numerically – employee error was the biggest cause of breach incidents, including misdelivery, disposal errors and lost assets, which combined for almost 80% of all healthcare breaches. Internal threat actors played a role in a whopping 68% of incidents – the only industry where employees are the dominant threat actors behind breaches.
As for the human toll of these incidents, it’s worth noting that sick and elderly people aren’t the only victims. As the magazine Compliance Today notes, pediatric data has also attracted the attention of cybercriminals interested in identity theft scams. The reason: children are “blank slates” for identity thieves, who can use their names and personally identifying information like Social Security Numbers to open lines of credit and bank accounts.
The crimes can go undetected for years, until the victims begin to establish their financial identities at 18 – or older. “They do a credit check when they turn 18 years old or apply for a credit card or student loan. Only then do they notice the suspicious debts and costly bills in their name from when criminals have used their information.”
And don’t look for the trend lines to start bending. As this blog has noted, organizations that monitor fraud trends predict that 2017 will be another banner year for data theft, with the healthcare sector a continued “focal point for hackers,” according to the firm Experian.
The healthcare sector, including insurance firms, hospitals and doctors’ offices, has long been a prime target for cybercriminals and even nation-state actors. The breach of systems operated by Anthem Healthcare in 2015 was attributed to attackers based in China. Attacks on healthcare organizations by sophisticated actors have been ongoing for years. In 2014, an investigation of a hack at the hospital chain Community Health Systems also ointed to hackers operating out of China.
More recently, the sector has been the target of ransomware groups, which use malicious software, installed in phishing email attacks, to encrypt patient data and cripple clinical systems. According to Verizon, 72% of malware incidents in the healthcare industry were the result of ransomware infections.
There are no easy answers for healthcare organizations, which manage reams of sensitive data on patients and employees, as well as a diverse infrastructure of medical devices, portable electronics, web-based services (like electronic health records) and traditional IT systems.
A 2016 survey of healthcare organizations across the United States found that hospitals and other healthcare organizations pour resources into protecting patient health records, but are ill prepared to defend their facilities, networks, employees and infrastructure against targeted attacks by online adversaries who wish to cause disruptions in service or even to target patients, according to the report (PDF) issued by Independent Security Evaluators (ISE).
