A little over ten years ago, in 2008, less than half of healthcare organizations used electronic health records (EHRs). Now, thanks to the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), it’s more surprising when an office-based physician does not have EHRs. While the adoption of electronic health records was necessary for American healthcare to keep up with the rest of the world and the rapidly changing technological landscape, it didn’t come without its downsides.
The number of security breaches has been rising steadily since the HITECH Act instituted harsher penalties for noncompliance with EHRs. In 2010, the number of data breaches in the healthcare industry topped that of the last six years combined. Whereas the healthcare industry chalked that up to the rapid adoption of EHRs, it’s clear now that wasn’t the whole story. With the latest data from 2018, we see that the reported incidents have still been increasing.
With the use of electronics and digital technology from smartphones to computers, cloud technology to metadata, the cybersecurity risks have never been higher. To know if your electronic personal health information (e-PHI) is safe and to learn about the top breaches in healthcare security, read on.
The Current Cyber Security Landscape
To those who are currently working in healthcare data security, you know it’s a bit like the Wild West. HIPAA, the sheriff, has put out mandates and penalties for noncompliance; what they say is law. HITECH, the judge, enforces HIPAA compliance and puts its own spin on harsher penalties and regulations. Finally, there’s HITRUST, a security framework that acts as hired guns for an operation (discussed at the end of this article).
Metaphor stretching a bit? The thing is, people often forget that even in this technological era where newer, better devices are invented by the month, the internet is still in its infantile stage as a technology. In other words, the infrastructure is there, the means of cybersecurity are available, but what threats are bound to come are hard to predict.
Suddenly the open borders and “lawlessness” of the Wild West seem like an apt metaphor, huh?
Grasping the Data Around Cyber Security
Don’t worry, this isn’t going to turn into a McMurtry western novel. Instead, let’s stick to what we understand best: data. When it comes to the cybersecurity landscape, there is data on the:
- Number of reported breaches per year
- Average number of exposed records per year
- Causes of security breaches
- Worst data breaches in recent history
Starting with these, we can more fully grasp the problems in current data security and how best to combat them.
Number of Reported Breaches
As of this past year in 2018, the number of data breaches (that resulted in 500 or more exposed records) averaged once per day. This is a staggering finding. Just ten years ago, the average was closer to once or twice a month. Here’s some visual data to understand the sheer number of healthcare breaches:
- 2009 – 18 reported data breaches
- 2010 – 199 reported data breaches
- 2012 – 218 reported data breaches
- 2014 – 314 reported data breaches
- 2016 – 327 reported data breaches
- 2018 – 365 reported data breaches
What can easily be extracted from this is how the adoption of EHRs was handled: poorly, to say the least. HITECH was passed in 2009, and it basically told healthcare organizations and their business associates that they must adopt EHRs or face massive fees. So, organizations compiled without considering the risk of data breaches.
However, in the wake of the jump from 2009 to 2010, what happened since then is unclear. To put it bluntly: Why have healthcare organizations not gotten better at security since the adoption of electronic health records? One would imagine that there would be a sharp rise in the years following HITECH, but then slowly decrease as equipment and data security improved.
This clearly is not the case.
Number of Exposed Records
The next question to focus on is how many exposed records there are per year. Sure, the number of incidences has increased, but that doesn’t necessarily mean that security hasn’t improved. For some quick numbers:
- 2012 – 2.8M exposed records (lowest since 2010)
- 2015 – 113M exposed records (massive spike)
- 2016 – 16M exposed records
- 2017 – 5.1M exposed records
- 2018 – 13M exposed records
What’s difficult to ascertain from this data is whether data security is improving each year or not. Some years fare better than others with 2015 stands as a massive outcast in the sheer volume of exposed records.
2015 Gone Phishing: Be Back Soon
Prior to 2015, hackers and IT threats were using the bulk of their resources on gaining credit card information. This meant that the retail industry and the financial sector were their biggest targets. Although something clicked, and social security numbers became the hot ticket item. And what holds a tremendous reservoir of social security information? You got it, healthcare.
Their method of attack: phishing.
Phishing is a social engineering method of drawing out personal information, such as usernames, passwords, and even bank account details. Hackers use fake emails from legitimate-sounding email accounts. One simple example of this involves “corn.” Putting together the letters “r” and “n” look similar on small typeface font to the letter “m.”
Thus, phishing scams involved sending emails from “Name@Company.c-o-r-n” to employees and asking them to look at a document. The employee would click on a link, sending them to a fake page requesting for them to log in to their email again. The employee, tired from a long day or currently juggling multiple projects at once, ignores the red flag and enters his or her username and password. Voila, the hackers have an entryway into the network.
Email Security Gets an Upgrade
These phishing scams weren’t one-time attempts. Despite most phishing scams being avoided, it only took one misstep, one person to accidentally not notice the warning signs. Or in the case of 2015, it only took two.
Once security experts realized the significance of phishing, email security got an upgrade.
Causes of Security Breaches
Although in 2015, phishing was the biggest cause of security breaches in healthcare, as this was an unusual year. The five most common causes include:
- Hacking and IT incidents
- Unauthorized access and disclosure of information
- Theft of paper records and electronic equipment containing sensitive information
- Loss of records and equipment containing sensitive information
- Improper disposal of PHI and e-PHI
Hacking and IT Incidents
Hacking and IT incidents include everything from phishing to malware infections. The rate of these security breaches in healthcare has risen rapidly since they first started being reported in 2010. To give a cursory glance, here’s the data:
- 2010 – 8 reported hacking/IT incidents
- 2012 – 16 reported hacking/IT incidents
- 2014 – 35 reported hacking/IT incidents
- 2016 – 113 reported hacking/IT incidents
- 2017 – 147 reported hacking/IT incidents
- 2018 – 158 reported hacking/IT incidents
While there’s no speculation on whether the number of incidences has increased, what is subject to deliberation is whether the reported numbers are accurate. The problem is that security systems flawed enough to allow hacking were often not sophisticated enough to know when the hacking incident occurred—thus, many early IT incidents went unreported.
The number of records exposed to hacking and IT incidents in 2018 alone resulted in 9.1M of the total 13M records (roughly 70%).
Unauthorized Access and Disclosure
Close behind hacking and IT incidents, unauthorized access and disclosure have similar numbers of reported incidents. Although the amount of exposed records per incident is significantly less. The number of exposed records in 2018 was estimated to about 3M of the total 13M (about 23%).
Theft, Loss, and Improper Disposal
The final 7% of exposed records were a result of theft, loss, and the improper disposal of equipment containing personal health information. Examples of these include unencrypted laptops being stolen from vehicles, accessing unencrypted data on public networks, and other errors that can be mitigated by proper security education and enforcement.
Because HITECH outlines proper administrative, physical, and technical controls for the security of data and property that houses data, implementing security frameworks can greatly reduce these incidences. And as a whole, these incidences have been decreasing.
Improper disposal averages around 10 incidents per year (that hasn’t changed). Theft and loss, however, have decreased:
- 2010 – 148 reported theft/loss incidents
- 2012 – 138 reported theft/loss incidents
- 2014 – 143 reported theft/loss incidents
- 2015 – 105 reported theft/loss incidents
- 2016 – 78 reported theft/loss incidents
- 2017 – 73 reported theft/loss incidents
- 2018 – 55 reported theft/loss incidents
The number of exposed records from theft, loss, and improper disposal combined in 2018 was just over 1M.
Data Breach by PHI and e-PHI Location
What’s interesting to note is where these data breaches are occurring. Many are quick to point to the usage of smartphones in healthcare as the culprit. But that’s actually misinformed. Overwhelming the locations of PHI and e-PHI data breach occur within:
- Email – Accounting for 122 of the total incidents in 2018
- Paper Records – Accounting for 81 of the total incidents
- Network Server Breach – Accounting for 74 of the total incidents
- Desktop Computer – Accounting for 34 of the total incidents
- Laptops – Accounting for 27 of the total incidents
- Electronic Medical Records – Accounting for 27 of the total incidents
- Portable Electronic Devices (Including Cellphones) – Accounting for 21 of the total incidents
Top 10 Worst Security Breaches in Healthcare History
Now for an understanding of the worst security breaches in healthcare, here are the top ten data fails:
- Anthem Inc – 2015 – 78.8M exposed records to a hacking incident
- Premera Blue Cross – 2015 – 11M exposed records to a hacking incident
- Excellus Health Plan – 2015 – 10M exposed records to a hacking incident
- Science Applications Intl Corp – 2011 – 4.9M records were lost
- UCLA Health – 2015 – 4.5M exposed records to a hacking incident
- Community Health Systems Professional Services Corp – 2014 – 4.5M exposed records to a hacking incident
- Advocate Med Group – 2013 – 4M exposed records due to theft
- Medical Informatics Engineering – 2015 – 3.9M exposed records to a hacking incident
- Banner Health – 2016 – 3.6M exposed records to a hacking incident
- Newkirk Products Inc – 2016 – 3.5M exposed records to a hacking incident
It should be noted that none of these are from the last two years, which does indicate that overall, data frameworks and how much can be exposed in a security breach are improving.
HIPAA Penalties and Fines
HIPAA, in response to these security breaches, has detailed out four tiers of penalties and fines. Each tier is identified based on willful neglect, and whether or not the effort is put forth to correct issues within the policies.
- Tier 1 – Maximum penalty violation of $25,000 per year – When a violation occurs that the entity was unaware of but puts forth reasonable efforts to correct the issue.
- Tier 2 – Maximum penalty violation of $100,000 per year – When a violation occurs and the entity is unaware of it and makes no effort to correct the issue.
- Tier 3 – Maximum penalty violation of $250,000 per year – When a violation occurs due to willful neglect, but effort is made to correct the issues within 30 days.
- Tier 4 – Maximum penalty violation of $1,500,000 per year – When a violation occurs due to willful neglect, and no effort is made to correct the issues.
To avoid these penalties and fees, you need to know how to prevent security breaches in healthcare organizations.
How to Prevent Security Breaches in Healthcare
Healthcare organizations and their business associates must be HIPAA compliant within their data security to avoid compliance fees. Organizations are switching to data security frameworks that include HIPAA mandates, such as the one offered by HITRUST. HITRUST community security framework (CSF) offers a certified data security framework that is both secure and HIPAA compliant.
To become HITRUST CSF certified, you can implement the framework with the help of verified HITRUST CSF assessors, like the experts at RSI Security. RSI Security is a full-service security provider that can guarantee HITRUST certification and HIPAA and HITECH compliance.
Overview of Security Breaches in Healthcare
In this new era of digital communication, electronic health records, and cloud technology, cybersecurity needs to be a pillar of healthcare organizations. Additionally, the business associates of healthcare organizations must now be HIPAA compliant in order to survive audits by the HHS.
Health IT. Office-based Physician Electronic Health Record Adoption. https://dashboard.healthit.gov/quickstats/pages/physician-ehr-adoption-trends.php
HIPAA Journal. Analysis of 2018 Healthcare Data Breaches. https://www.hipaajournal.com/analysis-of-healthcare-data-breaches/
HIPAA Journal. Healthcare Data Breach Statistics. https://www.hipaajournal.com/healthcare-data-breach-statistics/
HIPAA Journal. 2015: The Year of the Healthcare Data Breach. https://www.hipaajournal.com/2015-the-year-of-the-healthcare-data-breach-8239/
HHS. HIPAA for Professionals. https://www.hhs.gov/hipaa/for-professionals/index.html