Healthcare’s “wall of shame” for 2015 officially ends tonight at midnight. It’s not really a “wall,” it’s just a website, but it’s the online mechanism for the Office of Civil Rights (OCR) under Health and Human Services to publish data breaches as reported to them and required by HIPAA. The numbers this year are just staggering.
According to OCR, there were 253 healthcare breaches that affected 500 individuals or more with a combined loss of over 112 million records.
The top 10 data breaches alone accounted for just over 111 million records that were lost, stolen or inappropriately disclosed.
The top six breaches affected at least 1 million individuals–and four of the six were Blue Cross Blue Shield organizations.
The bulk of the breaches–about 38%–were reported as “Unauthorized Access/Disclosure,” but fully 90% of the top ten breaches were reported as a “Hacking/IT Incident.”As a category, “Hacking/IT Incident” represented 21% of all breaches. The other top category was “Theft” at 29% of all breaches.
Certainly the largest single breach–Anthem–represented over 70% of the total records compromised, but that still left 33 million records breached through other healthcare organizations.
Anthem had at least five levels of cyber insurance with combined coverage of $150 to $200 million, so the direct financial impact isn’t expected to cause a ripple in earnings or profits.
Chris Rigg, an analyst with Susquehanna Financial Group, called Anthem’s incident “unfortunate but manageable.” J.P. Morgan Securities Analyst Justin Lake said in a note to investors that the data breach is not expected to hurt the company’s lofty profit projections for 2015. An Anthem spokeswoman said the company does not expect a “material” financial impact from the breach. Huge data hack not expected to hurt Anthem’s bottom line –Modern Healthcare
While HIPAA is the legislation (passed in 1996) designed to protect patients against loss, theft or disclosure of their sensitive medical information, the fines and penalties don’t appear to be having a discernible effect on either patient privacy or data security.
But in reality, it is a toothless tiger. Unless you’re famous, most hospitals and clinics don’t keep tabs on who looks at your records if you don’t complain. And even though the civil rights office can impose large fines, it rarely does: It received nearly 18,000 complaints in 2014 but took only six formal actions that year. A recent report from the HHS inspector general said the office wasn’t keeping track of repeat offenders, much less doing anything about them. Farah Fawcett Was Right–We Have Little Medical Privacy –ProPublica
What should we expect on the road ahead for 2016? According to some of the cybersecurity experts I polled recently, more of the same.
The IDC’s Health Insights group predicts that 1 in 3 health care recipients will be the victim of a health care data breach in 2016. These stats should be a wake-up call for the entire industry. Why? My prediction is that credit card data will decline in value on the black market as chip and signature and chip and pin card adoptions rise and unfortunately, those bad guys will mine the health care industry’s data to steal patient records and personally identifiable information to commit health care fraud, and listen in on the unsecured medical devices that have created a “chatty” Internet of Things. In 2015, more people than ever learned their data was stolen and used to target them in ways they could not have even imagined. The consumer can’t leave the safety of their data to any government or private sector entity. If someone has your data, it can and will be hacked unless you take your own steps to protect it. Theresa Payton –CEO Fortalice Solutions LLC and former White House CIO
2015 was the year of the healthcare breach, with many organizations falling victim to malicious attacks. Earlier this year, Anthem was breached, and the cause was traced back to phishing attacks. This helps to prove that people are still often the weakest link in the security equation. The truth is that it doesn’t matter how strong your security is, people still need to be trained properly on how to protect data. For example, strong key and password management is essential. With this in mind, 2016 will see a “back-to-basics” approach where healthcare organizations push hard on training workers to take the preventative measures necessary to avoid more breaches in the future. Garry McCracken –VP of Tech, WinMagic
A recent data breach study estimates that breaches cost the healthcare industry about $5.6 billion annually. As healthcare moves toward connected care, the amount of data exchanged between organizations will only grow. So what does this mean? It means that in 2016, we’re going to see a huge movement towards encryption in hospitals and other healthcare facilities in order to protect EHRs and other vulnerable PHI. According to a 2014 Healthcare Breach Report, 68 percent of all healthcare data breaches since 2010 are due to device theft or loss. The headlines make it appear that hackers are attacking databases, but the reality is most of the problems are from unstructured content inside documents – and those documents are not encrypted. Encrypting data is vital to protecting patient information. Recent privacy and security laws, like those from New Jersey, are mandating that insurance carriers must encrypt personal information. This will logically include anyone that deals with the carriers and handles PHI. Ron Arden, Vice President –Fasoo
I don’t think 2016 will change much in terms of IT security at medical providers, hospitals, etc. I think the real changes will be in the device vendors and supply chain. Organizations like GE Healthcare and Siemens have announced strategic initiatives around medical device security. This is important as the cost of doing a firmware upgrade for a medical device that is embedded in a patient could be outrageous so many firms are looking at ways to do these remotely, wirelessly, etc., but in a secure fashion. They’re going through the same pains that Microsoft did when security wasn’t core to their processes. I expect to see a lot more research, vulnerabilities, and reports coming out in 2016 for IoT/medical device products. Mike Davis, CTO –Countertack
Healthcare IT security will continue to fall further and further behind the rest of the industry verticals despite the increase in spending on technology and human resources. The industry is focusing on functionality for patient care and security is an afterthought. Many organizations are also overly dependent on antiquated hardware and software, with inherent vulnerabilities, that could inadvertently put patients in danger. James Carder, CISO & VP –LogRhythm Labs
In 2016, healthcare IT managers will be under pressure from 3LAs (three letter acronyms) on three sides: 1) fresh OCR HIPAA audits and penalties; 2) more aggressive FDA action on vulnerable medical devices and pseudo-medical apps; and 3) at least one FTC action against a wearable or IoT device or app used in wellness programs. Stephen Cobb, Senior Security Researcher –ESET
Privacy is dead but trust isn’t. An individual’s willingness to share data depends on the benefits they receive and their trust in a health organization. When putting personal data in the hands of a health organization, a person is trusting in that entity to use their information for the right purpose and protect it from inappropriate use. If healthcare providers are complacent to safeguarding personal information, they’ll risk losing substantial revenues and patients as a result of medical identity theft. Kaveh Safavi –Senior Managing Director for Accenture’s health business
I wish we could look back on 2015 as the year that healthcare took data security and patient privacy more seriously, but the “wall of shame” isn’t encouraging. In a data-driven world, medical information is just too lucrative and too easy to steal at scale. As long as that’s the case–and the tigers are toothless–we should reasonably expect more of the same for 2016.