Healthcare Information Security

Lessons Learned from 2015 Healthcare Data Breaches

The healthcare data breaches from 2015 hold important lessons for covered entities to ensure that the same mistakes do not occur again.

Last year was filled with healthcare data breaches, with the top three alone combining to affect nearly 100 million individuals.

Covered entities must learn from past healthcare data breaches for future prevention

Will 2016 hold the same potential threats to covered entities? How can healthcare organizations best prepare for cybersecurity threats, while still implementing the latest technologies?

HealthITSecurity.com reviewed some of the major lessons for healthcare from last year’s most prominent data breaches, and also discussed key takeaways for covered entities with Institute for Critical Infrastructure Technology (ICIT) fellows.

Recent releases from The Office of the National Coordinator for Health Information Technology (ONC) also highlight important areas in terms of patient data security, and how individuals’ concerns might play a role in how covered entities work to keep information secure.

Healthcare cybersecurity threats will only continue to evolve, but a more thorough understanding of what those possible threats may be will help covered entities better prepare and make the necessary changes for their daily operations.

Tips for improving healthcare cybersecurity

The Office of Personnel Management (OPM) data breach was one of several large-scale data breaches in 2015, and also had ramifications for the healthcare industry. The OPM breach was also a wake-up call for the public sector, according to ICIT fellow Igor Baikalov.

“There was realization of how serious the consequences of a compromise of seemingly boring data can be, and how badly that data was protected,” Baikalov told HealthITSecurity.com. “It hit home, as it should have, after over a dozen of classified briefings and open hearings.”

Moreover, “the OPM debacle” led to a lot of soul searching amongst government agencies, he added. There was also a rush to implement security measures that control access to sensitive data, such as data encryption, multi-factor authentication, and data segmentation.

A multi-pronged approach to cybersecurity will also be greatly beneficial, as defense in depth is one of the fundamental security principles that assures that there is no single point of failure in the protection of information assets.

“Cybersecurity is asymmetric by nature,” Baikalov explained. “Attackers have to be right only once, while defenders have to be right every time. Multiple layers of defense attempt to level the playing field somewhat. Now, the attacker has to be right more than once to penetrate it.”

ICIT Co-Founder and Senior Fellow Parham Eftekhari agreed, adding that history has shown that regardless of how much money an organization invests in cybersecurity, hackers will eventually breach an organization’s defense.

“Cybersecurity leaders now understand that defending against threat actors requires a hybrid approach which includes basic cyber hygiene, perimeter defenses, advanced machine learning and behavioral analytics capabilities, encryption and perhaps most importantly proper training for both technical and non-technical staff,” Eftekhari said.

Moreover, the more layers of security that exist, the better an organization’s chances are of not only preventing as many breaches of possible, but they have a better chance at quickly identifying and stopping unauthorized access before data is extracted.

Looking ahead to 2016, Baikalov explained that data is becoming an increasingly valuable commodity, and that healthcare organizations need to catch up with financials on the maturity of their cybersecurity programs. These entities must also improve their ability to detect, mitigate, and remediate advanced cyber threats.

“One of the very interesting challenges going forward is that pay-for-performance reimbursement models increased the pressure on drug manufacturers to develop feedback mechanisms to measure the effectiveness of their product,” Baikalov maintained. “From smart pill dispensers to embedded nano-sensors, it has a potential to create a multitude of connected, but unable to defend themselves devices that will become the worst security nightmare.”

Baikalov also pointed out that IBM rightfully called 2015 “the year of the healthcare security breach.”

“With over 100 million medical records compromised and 55 recorded healthcare breaches, it’s hard to beat,” Baikalov stated. “The lesson is obvious: healthcare data is valuable, and we have a long way to go towards securing it.”

Eftekhari added that one of the fastest growing threat categories for all critical infrastructure sectors – including healthcare – is the use of Ransomware by threat actors.

“As we have seen in the recent attack on Hollywood Presbyterian, hackers are able to completely paralyze an organization until it pays a ransom which may or may not unlock their systems and data,” according to Eftekhari. “The hundreds of thousands or millions of dollars paid in ransom is a small price to pay for an organization when faced with the alternative of losing everything and threat actors know it.”

How PHI data breaches have affected individuals

Over 113 million individuals were affected by a PHI data breach in 2015, according to an ONC data brief, which cited data from the Department of Health and Human Services.

Furthermore, hacking incidents comprised nearly 99 percent of all individuals affected by breaches, while 97 hacking incidents affected less than 4 million individuals from 2011 to 2014.

ONC graph of PHI data breaches

Another drastic increase was in the source of information breached. Last year, just over 107.2 million individuals were affected by a network server breach. In 2014, approximately 7.2 million individuals were affected by the same type of breach.  

ONC also found that there was a drastic decrease in individuals' concerns about the privacy and security of both paper and electronic medical records between 2013 and 2014.

Specifically, 77 percent of individuals expressed concerns regarding the privacy and security of their medical records in 2012. In 2014, that number had decreased to 58 percent.

Other key findings from ONC included the following:

  • The proportion of individuals who expressed no concerns about the security of their medical records almost doubled between 2013 and 2014, from 11 percent to 19 percent
  • In 2012 and 2013, a little under half of individuals were "very concerned" about the privacy of their medical records, compared to 30 percent in 2014
  • In 2012 and 2013, approximately half of individuals were "very concerned" about the security of their medical records compared to 36% of individuals in 2014

“Preserving patient trust in the privacy and security of health information is a critical element in achieving an interoperable health IT infrastructure,” wrote Vaishali Patel, PhD MPH, Penelope Hughes, JD MPH, Wesley Barker, MS, and Lisa Moon, MPH. “As adoption of certified health IT and electronic exchange of health information grows across hospitals and office-based physicians, it is important to assess the impact of these changes on consumers' perceptions regarding the privacy and security of their health information.”

ONC graph of individuals' privacy and security concerns of medical records

ONC also found that between 2012 and 2014, despite potential privacy or security concerns, nearly 70 percent of individuals have supported electronically exchanging their health records.

However, ONC pointed out that the responses “reflect individuals' points of view prior to announcement in 2015 of several large health care information breaches.”

“Whether these recent breaches may negatively impact individuals' perceptions related to the privacy and security of their medical records and exchange of their health information is unclear and warrants monitoring,” explained the researchers.  

Finding the right balance between innovation and security

Overall, covered entities must regularly review their data security measures, and ensure that they do not create gaps in protection as they adopt new technologies. HIPAA compliance is essential, regardless of an organization’s size.

To that same effect, not all healthcare data security measures are necessarily needed for every entity. It’s important to adopt measures that suit an organization’s needs. From there, comprehensive and regular employee training can also help facilities stay compliant and secure.

Image Credits: ONC

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks