Healthcare Data Breaches

Considering the number of patient records stolen has increased over 6x since 2017, the answer to that question is uncomfortably clear. In this short article, I’ll unpack this topic and also cover the drivers behind the increase we’re seeing in healthcare data breaches.

The Bad, The Ugly

First, let’s look at how bad things really are. Earlier this year, 20 million records were hacked in a single breach against American Medical Collection Agency AMCA which occurred over an 8-month period. The incident was discovered when patient data was found for sale on the Dark Web (1). AMCA has since filed for Chapter 11 but this breach leaves a wake of problems for others in the industry who had provided patient data to AMCA, including: Diagnostics, LabCorp, and BioReference, all of which are facing investigations and lawsuits.

Another notable breach was Dominion National, which had close to 3 million patient records stolen over a period of 9 years. Yes, a cyber attack spanning 9 years!  The hacked servers contained enrollment and demographic information of current and former members of Dominion National’s vision plan, and data of individuals’ dental and vision benefits. This breach also affected partners, including plan producers and health providers.

There has been at least one health data breach a day since 2016, and already 285 breaches reported between January and June 2019. (2)

What’s Driving Cyber Criminals?

Stolen Data Dark Web

A patient’s healthcare record sells for $1000 on the Dark Web, compared to $110 for full credit card data and $1 for a Social Security Number. (3)

The reason for this is that cyber criminals have figured out they can steal much more with a person’s healthcare information. Here are a few examples driving patient record theft:

  • Filing fraudulent insurance claims
  • Fake medical prescriptions for drugs and devices
  • Getting treatment under a false identity

And, unlike credit card data, healthcare data is pretty much permanent and can’t be cancelled which contributes to its high value among criminals.

Security is Still Largely a People Problem 

While cyber criminals are upping their attacks in healthcare, it’s important to remember that insiders are nearly as big of a threat as cyber criminals. According to a study by the US Department of Health and Human Services, 42% of the breaches occurring between 2009 and 2017 resulted from current or former employees (4). Most insider breaches are unintentional but the resulting damage can still be significant. Some examples of unintentional data breaches in healthcare:

  • Sending or saving sensitive data externally to a personal account 
  • Email containing sensitive data sent to the wrong person within one’s own organization
  • Clicking and dragging sensitive files to a public / shared server by accident
  • Posting sensitive data in collaboration tools such as Slack, Trello, or GitHub
  • Theft or loss of PC/laptop or media storage equipment containing sensitive data

Security requires a combination of technology, processes and people. Security experts agree people are often the weakest link. More companies are making security awareness training part of their annual retraining. This is helping, but is it enough? The investment in security technology still far outweighs the funding allocated for training people to increase awareness, teaching safe security practices and creating a culture of accountability.

Heads-up! HIPAA has Grown Teeth

Hipaa Penalty

The Healthcare Insurance Portability and Accountability Act (HIPAA) has been around since the mid 90s with one objective being to set expectations and requirements for healthcare organizations to implement controls to secure patient data. Up until a few years ago, the fines HIPAA settled for violating its security and privacy standards often amounted to little more than a slap on the wrist. But things changed in 2015 following the widely publicized Anthem data breach. The average HIPAA penalty is now $2.5M, a 250% increase since 2015, and total annual penalties approached $30M in 2018. (5) The launch of the General Data Protection Regulation (GDPR) in May 2018 has helped raise the awareness of data privacy and expectations for penalties. GDPR fines totaled €56M, or $63M, in its first year which some believe has sparked HIPAA to step up its fines. If the reputation/brand damage and loss of customer trust was not enough motivation for leadership to take notice of their security vulnerabilities previously, maybe the increased fines will attract the attention data protection deserves.

Summing it Up

Here are some key takeaways:

  1. The number of patient healthcare breaches is growing at an alarming rate and puts the entire digital health ecosystem at risk.
  2. Partners are often severely damaged in a breach. Choose your partners wisely and make sure they have a security program to protect sensitive data you share with them.
  3. Stolen healthcare data is now 10-20x more valuable than credit card data sold on the Dark Web.
  4. Untrained, unaware employees are nearly as big of a threat as hackers and malware.
  5. Regulatory fines have grown substantially and are even more reason for leadership to step up their data protection initiatives.

Rett Summerville is the Cybersecurity & Compliance practice lead at CREO, an innovative management consulting firm that shapes growth companies into healthy successful organizations. Rett is a seasoned IT security and risk management leader with over 17 years of experience working in technical and business roles in software, fintech, and consulting services. He is passionate about helping clients transform their culture to improve security awareness, gain efficiencies, and maintain compliance. Rett promotes business-driven security and believes that good IT security practices can help companies be more competitive by enabling them to make better decisions quickly and confidently. Rett’s areas of expertise include regulatory compliance (GDPR, HIPAA, PCI DSS, CCPA), security frameworks (NIST Cybersecurity, 800-53/171, ISO 27001/2, and CIS), risk management and data governance. Rett enjoys community service and is a volunteer high school pole vault coach.

#creoculture #securityadvantaged #justdogreatwork