What are the main causes of security breaches in healthcare?

The main causes of security breaches in healthcare include hacking and IT incidents, unauthorized access or disclosure, theft or loss of devices, improper disposal of PHI and e-PHI, and human error such as falling for phishing emails.

Why are healthcare organizations frequent targets for cyberattacks?

Healthcare organizations are highly targeted because they store valuable patient data, including Social Security numbers, medical histories, and insurance details. This information can be sold or used for identity theft, making the industry a prime target for cybercriminals.

What is the impact of security breaches in healthcare?

Security breaches in healthcare can lead to financial losses, HIPAA penalties, operational disruption, compromised patient safety, reputational damage, and the exposure of sensitive patient information such as PHI and e-PHI.

What was the worst security breach in healthcare history?

The worst healthcare security breach occurred in 2015 when Anthem Inc. suffered a hacking incident that exposed 78.8 million patient records, making it the largest breach in the industry’s history.

Does HIPAA penalize organizations for security breaches?

Yes. HIPAA enforces penalties based on four tiers, depending on the level of negligence and whether corrective action was taken. Fines range from $25,000 to $1.5 million per year for repeat violations.

Main Causes of Security Breaches in the Healthcare Industry

Q: How can healthcare organizations prevent security breaches?

Healthcare organizations can prevent security breaches by implementing strong cybersecurity controls, conducting regular risk assessments, training employees, encrypting devices, and adopting recognized frameworks such as the HITRUST CSF to ensure HIPAA compliance.

RSI Security

1 month ago

Over the past decade, healthcare has seen a dramatic shift from paper records to electronic health records (EHRs). In 2008, less than half of healthcare organizations used EHRs. Today, thanks to the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), it’s unusual to find a physician’s office without them. While EHR adoption has modernized American healthcare, it has also introduced new challenges, especially when it comes to security breaches.

Since the HITECH Act increased penalties for noncompliance, the number of healthcare data breaches has risen steadily. In 2010 alone, reported breaches surpassed the total of the previous six years combined. Initially, this spike was attributed to rapid EHR adoption, but it’s now clear that other factors contribute to the growing risk. By 2018, incidents continued to climb, highlighting ongoing vulnerabilities in healthcare cybersecurity.

With the proliferation of digital tools, from smartphones and computers to cloud storage and metadata, cybersecurity risks in healthcare have never been higher. Understanding these risks is crucial to protecting electronic personal health information (e-PHI) and learning about the top security breaches affecting the industry.

Grasping the Data Around Cybersecurity

Rather than getting lost in metaphors, it’s best to focus on the data. Understanding the numbers behind healthcare cybersecurity helps reveal the scope of the problem and guides effective prevention strategies. Key areas to examine include:

The number of reported security breaches per year
The average number of exposed patient records annually
Common causes of security breaches
The most significant data breaches in recent history

By analyzing these metrics, healthcare organizations can better understand current vulnerabilities and implement targeted measures to reduce risk.

Also Read: How Long Does it Take to Get HITRUST Certified?

Assess your cybersecurity

Number of Reported Security Breaches

In 2018, the healthcare industry experienced, on average, one reported security breach per day involving 500 or more exposed records, a staggering increase compared to just a decade earlier, when breaches occurred roughly once or twice a month. Here’s a snapshot of reported healthcare data breaches over the years:

2009: 18 reported breaches
2010: 199 reported breaches
2012: 218 reported breaches
2014: 314 reported breaches
2016: 327 reported breaches
2018: 365 reported breaches

These numbers highlight how the rapid adoption of electronic health records (EHRs) was often implemented without sufficient attention to security. After the passage of the HITECH Act in 2009, healthcare organizations and their business associates were required to adopt EHRs or face significant penalties. Unfortunately, many organizations prioritized compliance over the risk of security breaches.

Despite the dramatic jump in breaches from 2009 to 2010, progress in healthcare cybersecurity has remained inconsistent. Rather than seeing a decline in reported breaches as data security measures improved, incidents have continued to rise, underscoring persistent vulnerabilities in the healthcare sector.

Number of Exposed Records

While the number of reported security breaches has increased over the years, it’s also important to examine how many records are exposed annually. Here’s a snapshot of notable years:

2012: 2.8 million exposed records (lowest since 2010)
2015: 113 million exposed records (massive spike)
2016: 16 million exposed records
2017: 5.1 million exposed records
2018: 13 million exposed records

These figures show that some years experience significant spikes, like 2015, making it difficult to determine whether overall data security is improving.

The Rise of Phishing in Healthcare

Before 2015, hackers primarily targeted credit card information, focusing on the retail and financial sectors. However, social security numbers became a more valuable target, and healthcare, which stores vast amounts of this information, became a prime focus.

The most common attack method? Phishing.

Phishing is a form of social engineering where hackers trick employees into revealing sensitive information, such as usernames, passwords, and other credentials. A typical example involves fake emails from seemingly legitimate accounts. For instance, small typeface tricks, like “r” and “n” placed together to mimic an “m,” can create deceptive email addresses such as “Name@Company.c-o-r-n.”

An unsuspecting employee who clicks the link and enters login information inadvertently gives hackers access to the network. These phishing attacks were a major contributor to the record spike in exposed data in 2015 and continue to be a critical vector for security breaches in healthcare.

Email Security Gets an Upgrade

Phishing attacks are rarely isolated incidents. Even with safeguards in place, it only takes one employee mistake to compromise a system. In 2015, just two missteps led to massive consequences: Anthem and Premera Blue Cross fell victim to phishing scams that allowed hackers to bypass security measures and expose 89.8 million of the 113 million records breached that year.

Recognizing the severity of phishing threats, healthcare organizations upgraded their email security protocols. These enhancements included better employee training, stricter authentication measures, and advanced email filtering to prevent fraudulent messages from reaching inboxes.

Addressing phishing is critical for reducing security breaches, as email remains a primary entry point for cyberattacks in healthcare.

ALSO READ: How to Boost Your Cyber Security With Email Encryption

Causes of Security Breaches

While phishing was the leading cause of security breaches in healthcare in 2015, it was an unusually high year. Across the industry, the five most common causes of breaches are:

Hacking and IT incidents – cyberattacks that exploit system vulnerabilities.
Unauthorized access and disclosure – employees or outsiders accessing sensitive data without permission.
Theft of records or electronic equipment – physical theft of paper records, laptops, or devices containing protected health information (PHI).
Loss of records or equipment – accidental misplacement of records or devices storing sensitive data.
Improper disposal of PHI and e-PHI – failure to securely destroy records or devices containing sensitive patient information.

Understanding these causes is essential for healthcare organizations to implement strategies that prevent security breaches and protect patient data.

Hacking and IT Incidents

Hacking and IT incidents encompass a range of threats, including phishing, malware, and other cyberattacks. The frequency of these security breaches in healthcare has increased significantly since 2010. Reported incidents over the years include:

2010: 8 reported hacking/IT incidents
2012: 16 reported incidents
2014: 35 reported incidents
2016: 113 reported incidents
2017: 147 reported incidents
2018: 158 reported incidents

While the upward trend is clear, it’s important to note that early reporting may have underestimated the true scale. Many security systems lacked the sophistication to detect and timestamp hacking attempts, meaning some incidents went unreported.

In 2018, hacking and IT incidents alone exposed 9.1 million records, accounting for roughly 70% of the total 13 million healthcare records breached that year. This highlights the significant impact of IT-related attacks on overall security breaches in the healthcare industry.

Unauthorized Access and Disclosure

Unauthorized access and disclosure are the second most common causes of security breaches in healthcare, closely following hacking and IT incidents. While the number of reported incidents is similar, the volume of exposed records per incident tends to be lower.

In 2018, unauthorized access and disclosure accounted for approximately 3 million exposed records, representing about 23% of the total 13 million healthcare records breached that year.

Understanding these incidents is essential, as they often involve employees or insiders who inadvertently or intentionally access sensitive patient information, highlighting the importance of strict access controls and monitoring to prevent security breaches.

Speak with a HITRUST expert today!

Theft, Loss, and Improper Disposal

The remaining 7% of exposed healthcare records result from theft, loss, and improper disposal of equipment containing personal health information (PHI). Common examples include unencrypted laptops stolen from vehicles, accessing unencrypted data over public networks, and other avoidable errors. These risks can be significantly reduced through proper employee training and enforcement of security policies.

HITECH provides guidance on implementing administrative, physical, and technical controls to safeguard data and the systems that store it. By following these frameworks, healthcare organizations can reduce the likelihood of these types of security breaches.

While incidents of improper disposal remain relatively steady at around 10 per year, theft and loss have decreased over time:

2010: 148 reported theft/loss incidents
2012: 138 incidents
2014: 143 incidents
2015: 105 incidents
2016: 78 incidents
2017: 73 incidents
2018: 55 incidents

In 2018, the total number of records exposed due to theft, loss, and improper disposal was just over 1 million, a small but significant portion of overall healthcare security breaches.

Data Breaches by PHI and e-PHI Location

Understanding where healthcare data breaches occur is essential for targeting preventive measures. While smartphones often get blamed, most breaches actually happen in other areas. In 2018, reported incidents of security breaches affecting personal health information (PHI) and electronic PHI (e-PHI) occurred primarily in the following locations:

Email: 122 incidents
Paper Records: 81 incidents
Network Server Breaches: 74 incidents
Desktop Computers: 34 incidents
Laptops: 27 incidents
Electronic Medical Records (EMRs): 27 incidents
Portable Electronic Devices (including smartphones): 21 incidents

These figures highlight that while mobile devices are a concern, the majority of breaches involve more traditional channels such as email, paper records, and network servers. Understanding the distribution of breaches by location helps healthcare organizations prioritize security measures and reduce the risk of future security breaches.

Top 10 Worst Security Breaches in Healthcare History

To understand the impact of healthcare cybersecurity failures, here are the ten largest reported security breaches:

Anthem Inc (2015): 78.8 million records exposed in a hacking incident
Premera Blue Cross (2015): 11 million records exposed in a hacking incident
Excellus Health Plan (2015): 10 million records exposed in a hacking incident
Science Applications Intl Corp (2011): 4.9 million records lost
UCLA Health (2015): 4.5 million records exposed in a hacking incident
Community Health Systems Professional Services Corp (2014): 4.5 million records exposed in a hacking incident
Advocate Med Group (2013): 4 million records exposed due to theft
Medical Informatics Engineering (2015): 3.9 million records exposed in a hacking incident
Banner Health (2016): 3.6 million records exposed in a hacking incident
Newkirk Products Inc (2016): 3.5 million records exposed in a hacking incident

It’s worth noting that none of the largest breaches occurred in the last two years, indicating that data protection frameworks and overall cybersecurity measures are improving across the healthcare industry.

HIPAA Penalties and Fines

In response to security breaches, HIPAA enforces a structured system of penalties based on the severity of violations and the efforts made to correct them:

Tier 1: Up to $25,000 per year – Violation occurred unknowingly, with reasonable efforts to correct the issue.
Tier 2: Up to $100,000 per year – Violation occurred unknowingly, with no effort to correct the issue.
Tier 3: Up to $250,000 per year – Violation occurred due to willful neglect, but corrected within 30 days.
Tier 4: Up to $1,500,000 per year – Violation occurred due to willful neglect, with no corrective effort.

To avoid these penalties, healthcare organizations must implement robust strategies to prevent security breaches, including strong technical controls, employee training, and adherence to regulatory frameworks.

How to Prevent Security Breaches in Healthcare

Healthcare organizations and their business associates must maintain HIPAA-compliant data security to avoid costly penalties and protect patient information. One effective approach is adopting recognized data security frameworks that incorporate HIPAA mandates, such as the HITRUST CSF (Common Security Framework).

The HITRUST CSF provides a comprehensive, certified framework that helps organizations secure sensitive data while ensuring HIPAA compliance. Implementing this framework reduces the risk of security breaches by addressing technical, administrative, and physical safeguards.

Organizations can work with verified HITRUST CSF assessors, like the experts at RSI Security, to implement the framework effectively. RSI Security offers full-service support to achieve HITRUST CSF certification and maintain ongoing HIPAA and HITECH compliance, helping healthcare organizations prevent security breaches and safeguard patient data.

Overview of Security Breaches in Healthcare

In today’s digital healthcare environment, with electronic health records, cloud technology, and advanced communication systems, cybersecurity is a critical priority for healthcare organizations. Protecting patient information from hacking, phishing, theft, and other threats is essential to preventing costly security breaches and maintaining regulatory compliance.

Business associates of healthcare organizations must also remain HIPAA-compliant to pass audits by the Department of Health and Human Services (HHS). Implementing a comprehensive data security framework, such as the HITRUST CSF, can significantly reduce the risk of breaches and safeguard sensitive data.

To ensure robust protection and compliance, healthcare organizations should consult cybersecurity experts, like RSI Security, to implement proven frameworks and strategies that prevent security breaches and secure patient information.