There is good news and bad news when we examine the 2017 health data breach landscape. Let’s start with the bad news: like 2016, there was an average of at least one health data breach per day throughout 2017. In total, there were 477 incidents reported to HHS, the media, or other sources. Interestingly, 74% of all incidents were either the result of insiders (176 incidents) or hacking (178 incidents). The good news is that, despite the high number of incidents, there were fewer massive data breaches that affected large numbers of patient records. As a result, the total number of affected records in 2017 was five times less than in 2016.
Ransomware attacks on the rise
If we take a closer look at the hacking incidents that occurred in 2017, one thing immediately becomes clear: Ransomware attacks were a rampant problem as this type of incident doubled in 2017 compared to 2016. It is important to note that this may be the result of healthcare organizations getting better at detecting and reporting ransomware attacks, rather than there being an alarming spike in the number of actual ransomware incidents. Nevertheless, hacking attacks that involve ransomware are becoming a huge issue for the healthcare industry, with covered entities under constant attack from malicious external actors.
The industry seems to be taking this issue seriously. Healthcare security professionals are emphasizing the threat that hacking and specifically ransomware and malware presents to the privacy and security of patient data. A recent HIMSS Analytics survey found that information technology and security officials believe that email was the most likely source of data breaches. But, more importantly, when asked how security officials are planning to strengthen their cyber resilience, they responded that providing cybersecurity training to employees is one of their top priorities, second only to actually preventing malware and/or ransomware attacks altogether.
The enemy within
While the danger that external threats pose to healthcare organization received increased awareness, 2017 proved that insider threats remain dangerous. Illustrating this is the fact that one health data breach went undiscovered for 14 years. While hacking incidents often cause immediate, widespread disruption to hospital’s daily operations, insider threats, on the other hand, pose a more subtle danger because they can continue under the radar for long periods of time. Not only do these incidents impose a multitude of costs on a healthcare organization, they also break patients’ trust and tarnish that organization’s reputation - one of their most valuable assets.
2017 has demonstrated that organizations must take proactive approaches to protecting patient data and monitoring for insider threats. The HIMSS Analytics survey also found that 40% of surveyed healthcare organizations had policies in place to manage insider threats; 35% said they only had an informal program; 21% said they had no program in place; and 5% said they did not know if one was in place.
This survey illustrates that enormous gaps still exist in programs designed to prevent and detect insider breaches. To close them, healthcare organizations must acquire full visibility into how their employees access patient data in the EHR. Full visibility means a thorough understanding of EHR users’ normal behavior workflows within the EHR because this allows privacy teams to detect when behavior deviates from the norm - greatly mitigating the damage and costs associated with a breach. It’s clear that solutions for protecting PHI need to be custom-built for the healthcare industry to meet the unique challenges and requirements of the clinical environment.
What can we expect as we look ahead to 2018?
Unfortunately, we can expect the trend of at least one health data breach a day to continue throughout 2018. In fact, we might even see the number of incidents increase as the industry’s ability to detect breaches continues to improve. We can also expect that ransomware attacks will continue to besiege the industry and that insider threats will continue to wreak long-term havoc on patient’s lives if not immediately detected.
2017 has proven that the healthcare industry needs to be more proactive in monitoring for potential data breaches. The awareness of the threats from both external and internal bad actors is increasing and innovative solutions, like Protenus, are available to combat these threats. Healthcare organizations need to ensure preventing health data breaches is a top priority in 2018 and utilize the technology available to better protect their patients’ most sensitive information.
Listen to Breach Barometer authors discuss the full impact of data breaches on healthcare throughout 2017.