Throughout 2016, the message from cybersecurity experts has been fairly consistent and increasingly urgent—leaders at patient care organizations need to prioritize IT security. And, at the risk of sounding like a broken record, a recent year-in-review report on health data breaches makes one thing quite clear—healthcare leaders are still not doing enough to protect patient data.
According to a new “Breach Barometer” report from Baltimore-based healthcare cybersecurity vendor Protenus, and in collaboration with DataBreaches.net, the healthcare industry was plagued by breaches involving patient or health data in 2016, with hacking and ransomware incidents reminding us how vulnerable protected health information (PHI) remains.
According to an analysis by Protenus and DataBreaches.net, there were 450 data breach incidents either reported to the U.S. Department of Health and Human Services (HSS) or disclosed in the media in 2016; that’s more than one health data breach per day for the entire year, and these breaches resulted in 27 million affected patient records. If these trends continue, 2017 can expect to see a continued average of at least one breach disclosed per day.
A Healthcare Informatics news article about the Protenus report briefly highlights the key findings, yet the report findings about insider wrongdoing caught my attention. Many data security experts have pointed out that employees are the weakest link in the cybersecurity fence and, with this in mind, it's important to review these data breach incidents with an eye toward lessons learned and to find a way forward for protecting patient privacy.
Protenus reported that 43 percent of the 2016 health data breaches (192 incidents) were a result of insiders, and for the 162 incidents out of those 192 that Protenus has data for, 2 million patient records were affected. Now, while hacking accounted for the majority of patient records breached in 2016, insider incidents resulted in a larger number of breach incidents (120 vs. 192 respectively).
According to the Protenus report, the average number of breached patient records due to insider error was more than three times the number attributed to insiders with malicious intent. However, the report also noted that this figure was distorted by two large insider error incidents in August and December, which, when removed, shows the two categories to have roughly similar averages.
“While it is reassuring that not all insider breaches are with ill-intent, healthcare organizations need to make employee training, frequent reminders, and re-training a priority,” the report authors wrote.
One key reason why I think the insider incidents should be highlighted is that there is mounting evidence that that problem of insider data breaches has largely gone unaddressed as healthcare organizations focus on catching up with the external threats. Additionally, insider breaches tend to fly under the radar and can go undetected for quite some time. To this point, the report authors noted that in one incident, hospital employees were potentially inappropriately accessing patients’ medical information for years without being detected, because the hospital didn’t have technology in place to monitor or protect patient privacy. The hospital found potentially inappropriate accesses to the medical records beginning no later than 2013, and possibly much earlier.
“Without technology in place to provide alerts when access to a medical record is inappropriate, the organization now has to notify every single patient they’ve encountered since 2013, which will probably end up being a very costly process,” the report authors wrote.
The Protenus report findings also indicate that it took an average of 233 days for a healthcare organization to discover they had a health data breach. Perhaps most troubling is that the time to discovery specifically in cases of insider wrongdoing was more than double that—607 days. It goes without saying that it is critical for healthcare organizations to have a more proactive approach to monitoring patient data, as the sooner a breach is detected, the quicker organizations can mitigate the risk of significant damage being done with their patient’s data.
While limited budgets and resources are likely to blame for some organizations’ data breach detection capabilities, the report authors also surmise that organizations are still taking a reactive rather than proactive approach to privacy monitoring, and this can allow inappropriate access to the patient data to go unnoticed for extended periods of time.
In a recent interview, Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm, had a similar view of healthcare data security. “I think there are some folks who are beginning to be a bit more proactive, but for the most part, we’re still a very reactive industry,” he said.
Regarding insider data breaches specifically, McMillan said, “They are going to continue to be a problem until we realize as an industry that we need to move to behavioral modeling and behavioral analysis to stop the threat. This is one of those situations where the methods we are using are antiquated. We’re typically monitoring users today based on rules, so in other words, somebody goes outside their prescribed boundary in terms of what they are doing, or some known convention in the system in terms of their profile. The problem is that most insiders that are perpetuating harm, they know what those rules are and so they are careful not to cross those boundaries. And, if you’re not actually looking at behavior, you’re not going to catch that.”
McMillan noted that an employee who comes to work everybody and does their job is generally going to look at x number of patients during their shift and they are going to have a behavioral pattern that is reflective of a person who is doing their job. "The person who is snooping or trolling around in the database or stealing identities is going to typically have a profile that is two to three times different than the person who is just doing their job. As long as they do that within the confines of their profile, the system never says anything, and never alarms. The only way to really detect that is to use behavioral analysis," he said.
Most cybersecurity experts agree that, in order to address the risk of insider breaches, healthcare organizations to step up employee training while also utilizing technology to detect inappropriate access to medical records.
Another cause for concern is that while the HHS Office for Civil Rights typically focuses on larger privacy violations, it’s been pointed out that small-scale violations of medical privacy often cause the most harm. As a real-world example, the Protenus researchers reported about a hospital employee who shared details of an adolescent's attempted suicide with people at his school. “The child was bullied and made fun of by his peers, resulting in his mother suing the responsible healthcare organization. This type of small-scale breach greatly affected the patient’s life and could end up costing the hospital significantly in legal fees, fines, and settlement,” the report authors wrote.
Besides the negative headlines and the financial impact to an organization, there is also the trust factor, and that should stay front and center in healthcare leaders’ minds as well. Protecting and securing patients’ health data is essential to maintaining and increasing patients’ trust in their healthcare providers.
As the Protenus report authors noted, “Critically, healthcare must move beyond thinking about privacy, security or compliance alone—these are merely three pillars of our true goal: ensuring trust. As an industry, we must think about the fundamental shifts we can effect to build and maintain this trust.”
Due to increasing attention to the impact of insider incidents, the Protenus report authors predict that 2017 will be "the Year of Insider Breach Awareness,” as healthcare organizations begin to realize that this constant and significant problem has gone unaddressed for too long. There are many patient care organizations proactively addressing the problem, and have been for quite some time, by utilizing security technology solutions--behavioral analysis is one, as McMillan noted--and investing resources in employee training and education. There are lessons to be learned from those organizations and you can expect to see Healthcare Informatics sharing those lessons learned in the coming year as healthcare IT leaders continue to grapple with data security challenges.