2015 was a bad year for healthcare security. It was so bad, the Office of Civil Rights (OCR), an agency that falls under Health and Human Services, circulated data breaches in healthcare on what it called the “Wall of Shame.” The wall was actually a website that published breach information (reporting is required by HIPPA) and made it available to the public. According to OCR, in 2015 there were 253 healthcare breaches, each affecting 500 individuals or more and recording a combined loss of more than 112 million records. 2015 was also the year of the largest healthcare breach in history, with Anthem losing 78.8 million highly-sensitive patient records, and an additional 8.8 to 18.8 million non-patient records.
We’ll have to see what the remainder of 2016 brings, but IDC’s Health Insights group predicted as many as 1 in 3 healthcare recipients could be the victim of a data breach this year. Last year, the bulk of all breaches were reported as “Unauthorized Access/Disclosure,” but 90% of the top ten breaches were reported as “Hacking/IT Incident.” So far in 2016, we’ve seen a different trend emerging with stolen or lost devices and improper disposal becoming top threats as well. Here are the top three falling into this growing category (so far this year):
- Agency: Community Mercy Health Partners
What happened: Paper records found in dumpster
Individuals affected: 113K
- Agency: Premier Healthcare, LLC
What happened: Laptop stolen from locked/alarmed administrative office (laptop was password protected only and information was not encrypted)
Individuals affected: 205K
- Agency: Radiology Regional Center, PA
What happened: Paper records lost from truck on the way to the incinerator: Individuals affected: 483K
View the full 2016 Healthcare Breach Report on the OCR site.
The largest loss of personal healthcare records so far this year was a Hacking/IT incident of 21st Century Oncology which affected 2.2 million. Although the breach happened in December, 2015, the company neglected to notify the SEC until March of this year. 21st Century Oncology is now facing a class-action lawsuit claiming the company neglected to implement adequate security measures to protect EMRs, resulting in a breach that exposed them to “substantial financial and other injury and damage.”
As these high profile breaches continue to become more frequent and harder to detect and control, healthcare organizations maintain a bad reputation for being behind the times and slow to adapt security technology. Healthcare organizations are usually underfunded for security improvements, as cyber security is less likely to garner attention from executive decision makers. That being said, hackers are not dumb. They know these organizations are easy targets, protected by a simple user name and password solution.
Fraser Health Authority in British Columbia, Canada is quite different from traditional healthcare organizations. Forward thinking and proactive, this organization implemented certificate-based authentication and issued smart card badges to all 26,000 employees and 2,500 physicians. Fraser not only greatly improved security, but they also saw benefits in terms of operating cost reduction, employee morale and patient satisfaction. Fraser is a prime example that implementing strong security protocols is not just a necessary evil, but rather a positive improvement to antiquated systems. Read the Fraser Health Authority Case Study.
Next post, we’ll take a look at why health records are such a hot commodity for hackers and how this will continue to drive activity. We’ll also explore security in Sweden and how their security solutions are more advanced than other countries, including the United States.