The Wall of Shame must be dripping with guilty tears. The Office of Civil Rights has just reported more data breaches than in any other month since the Department of Health and Human Services started recording healthcare data breaches in 2009. In April, 46 healthcare data breaches were reported — a 48% increase from March and 67% more than the average number of monthly breaches in the last six years. The only mild comfort is the number of actual healthcare breaches in April was only(!) 694,710 — a 24% reduction from March. That’s still a LOT of patient information!
What has caused the enormous increase in breaches? A major rise in phishing, IT hacking, and ransomware attacks, mostly within many providers — but also within six payors. Only three breaches included business associate involvement, although one business associate breach of 206,695 patient records was the largest breach of the month. Here’s what you should know to better understand how your organization may need to beef up its precautions.
Quick stats — not mutually exclusive:
- Phishing attacks — malicious email attacks that pretend to be legitimate communications –are increasingly sophisticated and were super successful in April. Despite providers’ and business associates’ IT protection solutions and employee training, staff remain very vulnerable. Email phishing incidents accounted for the most breached PHI in April — 22 data breaches and 48% of breaches in April 2019. These contributed to unauthorized access/disclosure incidents, exposing 264,016 records, 38% of April’s total breaches.
- IT systems hackers caused the most compromised records (via malware and more) in April 2019 –- 384,219 or 55%.
- Ransomware attacks are on the rise again after would-be profiteers took a slight vacation in 2018. Healthcare is the most attacked industry, according to the HIPAAjournal. Network servers were the major targets resulting in 11 breaches – 23.9% of April’s breaches – which include malware and ransomware attacks.
- Even physical records like paperwork, charts, and films contributed significantly to the April PHI-loss debacle, causing 6 breaches or 13% of April’s total.
What is the worst possible outcome of a healthcare systems hacking exploit?
How about the wiping of ALL files — patient records, payment data, appointment schedules — by the hacker? This is exactly what happened on April 1 to the Brookside, Michigan ENT and Hearing Center. Fortunately, this is/was a small facility. Not a major hospital — but it can happen to any healthcare organization.
Brookside’s physician owners refused a demand for $6500 in ransom by the hacker, who had encrypted the entire computer system. Then the hacker completely wiped the system.
The fallout was not pretty. The only good news for the Brookside facility is that no patient data was accessed or copied before the system data was erased. But, the two physician owners had to close the practice and retire early; reconstructing their databases would have been too costly and time-consuming. Now, their patients have to rebuild their records from scratch with another practice.
What are the major causes of these security compromises?
A new Forescout study indicates that the healthcare industry is “overly reliant on legacy software, vulnerable protocols are extensively used, and medical devices are not properly secured.” Further, The high number of devices and different operating systems is a major obstacle for IT security teams. The study revealed that 40% of healthcare organizations’ deployments used “more than 20 different operating systems, 41% of VLAN platforms used a variety of mobile, network, and embedded infrastructure, and 34% of healthcare deployments had more than 100 vendors connecting to the network.” Adding insult to injury, many vendors that are responsible for patching their systems don’t know if those patches have been correctly applied by their healthcare clients.
The rate of cyber attacks in the healthcare industry is more than double the rate of attacks on other industries, and HIPAA compliance is simply not sufficient.
Undoubtedly, the increase and frequency of attacks affect how consumers believe the security of their health records are; the press has no qualms about publishing incidents. Hopefully, we all know that HIPAA requires healthcare organizations to implement security measures to keep protected health information private and confidential and that major fines are issued both to healthcare organizations and responsible individual workers as a result of data breaches. It can’t be repeated enough that compliance with HIPAA is not enough.
We recommend reading several recent knowledge resources we have created to help healthcare organizations meet the challenges of organizational and patient privacy and security. Just click through these links:
Phoenix Health Systems provides world-class hospital IT outsourcing services, including security and other IT consulting — and vendor-independent 24 X 7 X 365 onshore Service Desk outsourcing. Please contact us for more information.