In the past two years as I have reported on healthcare data breaches and cybersecurity issues, the overarching message that I’ve repeatedly heard from data security experts is that the threats against healthcare information systems and patient data will get worse before they get better.
That sentiment was echoed again in Protenus’ Breach Barometer Mid-Year Review, which was released this week, which indicates that, so far, 2017 is on track to worsen or surpass last year in terms of number of breach incidents and/or number of breached patient records. In fact, 2017 is on track to exceed the 2016 trend of one health data breach per day, according to Protenus.
From January to June 2017, there were a total of 233 breach incidents reported to the U.S. Department of Health and Human Services (HHS), the media, or state attorneys general, according to Protenus, a health data protection startup, and DataBreaches.net, a website that follows and reports data breaches. The two organizations collaboratively develop the Breach Barometer reports. There were a total of 450 incidents in 2016. And, so far, in 2017, 3.16 million patient records were affected by these breach incidents
Another big takeaway from the Protenus/DataBreaches.net report is that insider threats remain constant. The report states that 41 percent of the health data breaches so far in 2017 (96 incidents) were a result of insiders, and 1.17 million patient records are known to have been affected. In fact, insiders are increasingly responsible for a significant amount of health data breaches, 28 percent more than hacking and ransomware.
According to Robert Lord, co-founder and CEO of Protenus, 2 million patient records were affected by insider activity for the entire year in 2016, so the 1.17 million patient records impacted so far this year represents a 20 percent increase versus this time last year.
“The insider threat is a silent, continuous threat that is not being addressed,” Lord said during a webinar presenting the mid-year data breach findings.
Looking at hacking incidents, so far in 2017, there have been 75 separate breach incidents that were the result of hacking, Protenus reports, yet incidents involving hacking or malware are likely underreported. On the HHS breach reporting tool, or “Wall of Shame,” hacking and/or malware are often simply reported as “hacking” or an “IT incident. And in many cases, Databreaches.net has found through independent research that incidents were not reported at all.
“We saw about 120 hacking incidents in 2016, so that’s about 60 incidents at the half year. Unfortunately, we’re seeing 25 percent more than that as there’s been 75 hacking incidents so far in 2017. I wish I could share better news with you, but, depending on how you slice it, things are not getting better, and maybe they are getting worse,” Lord said.
The Protenus report findings, and other cybersecurity studies, should serve as a call-to-action for healthcare organizations to increase efforts to thwart inappropriate access to their patients’ most sensitive data. Yet, the perspective of many cybersecurity experts is that this call-to-action may be falling on deaf ears at the senior leadership and board level at patient care organizations.
A recent survey of healthcare IT security leaders by KPMG, an audit, tax and advisory services firm, indicates that the number of healthcare organizations making investments in information security has actually declined since 2015.
When asked about “readiness to defend against a concerted cyber attack,” 35 percent of CIOs, CISOs, CTOs and CSOs at provider and payer organizations said they are “completely ready” versus 16 percent in 2015. In the survey, respondents were asked to rate their “readiness” at a level of 1 (not at all ready) to 5 (completely ready). Thirteen percent of respondents rated their organization at level 3 and 52 percent rated their organization at level 4. None of the organizations rated themselves as level 1 or 2.
KPMG’s survey, conversely, found that cyber security as a board agenda item has declined over the past two years (79 percent versus 87 percent in 2015). In addition, KPMG found a disconnect regarding cyber investment in this volatile environment. A smaller majority of healthcare companies made investments in information protection in the prior 12 months (66 percent versus 88 percent in the 2015 survey).
The KPMG survey results indicate a disconcerting trend, and, in fact, Protenus’ Lord referenced this particular survey during the webinar presenting his company’s data breach findings.
“One of the consistent things we see is that no matter how much light has been shone around these things—and people are talking about it and there’s more awareness—but there is just not transformational levels of investments in this space. There are good faith efforts; a lot people care. Security and privacy officers are often understaffed and under-resourced and they can’t do a lot more without senior level or board buy-in. In order to make changes, we’ve got to take a new approach to this,” he said.
Lord also surmised that as awareness about data security issues has increased, health systems are now just “checking that box” and board members may assume that they have focused on data security enough. “Simply, awareness efforts are reaching security and privacy teams but not getting up to the board. We need to continuously make sure we have that advocacy and that engagement. There needs to be a greater understanding that privacy and security are not just two buzzwords or two departments, but strategic pillars of our organizations. There needs to be a strategic orientation toward trust, and this is an opportunity to build trust with patients,” Lord said.
What’s become very clear to everyone is that health data protection needs to be a priority to increase patient trust in the healthcare organizations where they seek care. Let’s all keep our focus on the fact that behind the data breach incidents are specific medical records, and behind the medical records are real patients with real lives.
As an example of the ripple effect for patients, earlier this spring, the Bangor, Maine-based Behavioral Health Center was the victim of a cyber attack. According to media reports, the attacks compromised around 4,000 patients’ private information. At the time, Databreaches.net reported that there was an ad placed on the dark web offering to sell the information for $10,000. Unfortunately, reports of hackers selling health data on the dark web have become fairly common now, and while the seller claimed that the health data included the usual information—names, addresses and Social Security numbers—as the clinic is a behavioral health center, the medical histories also included highly sensitive information, such as therapy sessions and psychiatric evaluations.
DataBreaches.net also reported that the Maine clinic is now closing and the breach factored heavily into the decision to close. “It couldn’t bounce back from the liability issues,” DataBreaches.net reported.
There seems to be agreement among cybersecurity experts that transformational change and investment are needed at patient care organizations in order to protect patient data. This will likely entail increasing IT security budgets, but it also means there needs to be a change in mentality at the boardroom level. Until that happens, there is widespread concern that the current upward trajectory of increasing healthcare data breaches will not change, and might only get worse.