In the past two years as I have reported on healthcare data breaches and cybersecurity issues, the overarching message that I’ve repeatedly heard from data security experts is that the threats against healthcare information systems and patient data will get worse before they get better.
That sentiment was echoed again in Protenus’ Breach Barometer Mid-Year Review, which was released this week, which indicates that, so far, 2017 is on track to worsen or surpass last year in terms of number of breach incidents and/or number of breached patient records. In fact, 2017 is on track to exceed the 2016 trend of one health data breach per day, according to Protenus.
From January to June 2017, there were a total of 233 breach incidents reported to the U.S. Department of Health and Human Services (HHS), the media, or state attorneys general, according to Protenus, a health data protection startup, and DataBreaches.net, a website that follows and reports data breaches. The two organizations collaboratively develop the Breach Barometer reports. There were a total of 450 incidents in 2016. And, so far, in 2017, 3.16 million patient records were affected by these breach incidents
Another big takeaway from the Protenus/DataBreaches.net report is that insider threats remain constant. The report states that 41 percent of the health data breaches so far in 2017 (96 incidents) were a result of insiders, and 1.17 million patient records are known to have been affected. In fact, insiders are increasingly responsible for a significant amount of health data breaches, 28 percent more than hacking and ransomware.
According to Robert Lord, co-founder and CEO of Protenus, 2 million patient records were affected by insider activity for the entire year in 2016, so the 1.17 million patient records impacted so far this year represents a 20 percent increase versus this time last year.
“The insider threat is a silent, continuous threat that is not being addressed,” Lord said during a webinar presenting the mid-year data breach findings.
Looking at hacking incidents, so far in 2017, there have been 75 separate breach incidents that were the result of hacking, Protenus reports, yet incidents involving hacking or malware are likely underreported. On the HHS breach reporting tool, or “Wall of Shame,” hacking and/or malware are often simply reported as “hacking” or an “IT incident. And in many cases, Databreaches.net has found through independent research that incidents were not reported at all.
“We saw about 120 hacking incidents in 2016, so that’s about 60 incidents at the half year. Unfortunately, we’re seeing 25 percent more than that as there’s been 75 hacking incidents so far in 2017. I wish I could share better news with you, but, depending on how you slice it, things are not getting better, and maybe they are getting worse,” Lord said.
The Protenus report findings, and other cybersecurity studies, should serve as a call-to-action for healthcare organizations to increase efforts to thwart inappropriate access to their patients’ most sensitive data. Yet, the perspective of many cybersecurity experts is that this call-to-action may be falling on deaf ears at the senior leadership and board level at patient care organizations.
A recent survey of healthcare IT security leaders by KPMG, an audit, tax and advisory services firm, indicates that the number of healthcare organizations making investments in information security has actually declined since 2015.
When asked about “readiness to defend against a concerted cyber attack,” 35 percent of CIOs, CISOs, CTOs and CSOs at provider and payer organizations said they are “completely ready” versus 16 percent in 2015. In the survey, respondents were asked to rate their “readiness” at a level of 1 (not at all ready) to 5 (completely ready). Thirteen percent of respondents rated their organization at level 3 and 52 percent rated their organization at level 4. None of the organizations rated themselves as level 1 or 2.
KPMG’s survey, conversely, found that cyber security as a board agenda item has declined over the past two years (79 percent versus 87 percent in 2015). In addition, KPMG found a disconnect regarding cyber investment in this volatile environment. A smaller majority of healthcare companies made investments in information protection in the prior 12 months (66 percent versus 88 percent in the 2015 survey).
The KPMG survey results indicate a disconcerting trend, and, in fact, Protenus’ Lord referenced this particular survey during the webinar presenting his company’s data breach findings.