Throughout 2016, the message from cybersecurity experts has been fairly consistent and increasingly urgent—leaders at patient care organizations need to prioritize IT security. And, at the risk of sounding like a broken record, a recent year-in-review report on health data breaches makes one thing quite clear—healthcare leaders are still not doing enough to protect patient data.
According to a new “Breach Barometer” report from Baltimore-based healthcare cybersecurity vendor Protenus, and in collaboration with DataBreaches.net, the healthcare industry was plagued by breaches involving patient or health data in 2016, with hacking and ransomware incidents reminding us how vulnerable protected health information (PHI) remains.
According to an analysis by Protenus and DataBreaches.net, there were 450 data breach incidents either reported to the U.S. Department of Health and Human Services (HSS) or disclosed in the media in 2016; that’s more than one health data breach per day for the entire year, and these breaches resulted in 27 million affected patient records. If these trends continue, 2017 can expect to see a continued average of at least one breach disclosed per day.
A Healthcare Informatics news article about the Protenus report briefly highlights the key findings, yet the report findings about insider wrongdoing caught my attention. Many data security experts have pointed out that employees are the weakest link in the cybersecurity fence and, with this in mind, it's important to review these data breach incidents with an eye toward lessons learned and to find a way forward for protecting patient privacy.
Protenus reported that 43 percent of the 2016 health data breaches (192 incidents) were a result of insiders, and for the 162 incidents out of those 192 that Protenus has data for, 2 million patient records were affected. Now, while hacking accounted for the majority of patient records breached in 2016, insider incidents resulted in a larger number of breach incidents (120 vs. 192 respectively).
According to the Protenus report, the average number of breached patient records due to insider error was more than three times the number attributed to insiders with malicious intent. However, the report also noted that this figure was distorted by two large insider error incidents in August and December, which, when removed, shows the two categories to have roughly similar averages.
“While it is reassuring that not all insider breaches are with ill-intent, healthcare organizations need to make employee training, frequent reminders, and re-training a priority,” the report authors wrote.
One key reason why I think the insider incidents should be highlighted is that there is mounting evidence that that problem of insider data breaches has largely gone unaddressed as healthcare organizations focus on catching up with the external threats. Additionally, insider breaches tend to fly under the radar and can go undetected for quite some time. To this point, the report authors noted that in one incident, hospital employees were potentially inappropriately accessing patients’ medical information for years without being detected, because the hospital didn’t have technology in place to monitor or protect patient privacy. The hospital found potentially inappropriate accesses to the medical records beginning no later than 2013, and possibly much earlier.
“Without technology in place to provide alerts when access to a medical record is inappropriate, the organization now has to notify every single patient they’ve encountered since 2013, which will probably end up being a very costly process,” the report authors wrote.
The Protenus report findings also indicate that it took an average of 233 days for a healthcare organization to discover they had a health data breach. Perhaps most troubling is that the time to discovery specifically in cases of insider wrongdoing was more than double that—607 days. It goes without saying that it is critical for healthcare organizations to have a more proactive approach to monitoring patient data, as the sooner a breach is detected, the quicker organizations can mitigate the risk of significant damage being done with their patient’s data.
While limited budgets and resources are likely to blame for some organizations’ data breach detection capabilities, the report authors also surmise that organizations are still taking a reactive rather than proactive approach to privacy monitoring, and this can allow inappropriate access to the patient data to go unnoticed for extended periods of time.
In a recent interview, Mac McMillan, CEO of the Austin, Tex.-based CynergisTek consulting firm, had a similar view of healthcare data security. “I think there are some folks who are beginning to be a bit more proactive, but for the most part, we’re still a very reactive industry,” he said.
Regarding insider data breaches specifically, McMillan said, “They are going to continue to be a problem until we realize as an industry that we need to move to behavioral modeling and behavioral analysis to stop the threat. This is one of those situations where the methods we are using are antiquated. We’re typically monitoring users today based on rules, so in other words, somebody goes outside their prescribed boundary in terms of what they are doing, or some known convention in the system in terms of their profile. The problem is that most insiders that are perpetuating harm, they know what those rules are and so they are careful not to cross those boundaries. And, if you’re not actually looking at behavior, you’re not going to catch that.”