This past year saw over one million patient health files breached through nearly 258 large-scale healthcare data breaches. According to Redspin’s recent Breach Report 2015: Protected Health Information (PHI), 98 percent of those breaches were caused by an IT hacking incident.
The report, which highlights the growing threat to healthcare data security, breaks down the number of security incidents throughout 2015, showing that the improving sophistication of data hackers is putting a major target on healthcare data.
Dubbing 2015 “the year of the hack,” the Redspin report shows that hacking and IT security has made data breach incidents grow exponentially. Since 2009, the healthcare industry has seen 154,368,781 patient health files breached, and 113,208,516 of those files were breached in 2015 alone. That means nearly 73 percent of all breached patient files have occurred within the past year.
At the same time, 2015 saw an incredible influx of large-scale healthcare data breaches due to hacking or IT incidents. In 2014, only a little over half of healthcare data breaches were the result of hacking or IT incidents; in 2015, 98 percent of breaches were the result of hacking.
Through the emergence of sophisticated hacking tactics such as phishing scams, healthcare organizations were more vulnerable to massive and devastating data breaches.
Just two months into 2015, one of those massive attacks happened at Anthem, totaling 78 million patient files breached. Similar attacks happened later on in 2015 at Premera Blue Cross (11 million patient files breached) and Excellus Health Plan (10 million patient files breached).
All three of these breaches were the results of phishing scams, where malicious users lure organization employees into situations where their login credentials could be leaked, often through email or inadvertent downloading of malware. Phishing will continue to pose a threat to healthcare data security going forward.
“Because phishing attacks exploit human vulnerabilities rather than technical, healthcare organizations must step up their security awareness education efforts for all employees,” Redspin explained. “They need to be better trained to recognize phishing schemes through social engineering testing and security awareness training. Policies may also need to be tightened.”
Hacking events were not limited to health insurers. Providers, like UCLA Health, were also hit by hackers. This past July, UCLA Health reported that its databases had experienced a cyberattack, breaching nearly 4,500,000 patient files.
These massive data breaches are proving to be cause for financial concern at healthcare organizations. Up until now, many organizations found it more financially sound to simply pony up the money to deal with a healthcare data breach rather than invest in better security. However, in the wake of these large-scale breaches, it may appear to be better to invest prior to an attack.
Organizations are also weighing the costs of reputation damages. Breaches like the ones at Anthem or UCLA Health were highly publicized events, and it may be reasonable to think that they had an effect on those organizations’ reputations. This may cost those organizations in potential customers in the future, thus justifying better future investments in health data security.
Going forward, several outside entities are working to mitigate these healthcare data security threats. The Senate Health Committee has been consulting healthcare industry stakeholders to reevaluate provisions regarding healthcare data security. Other federal agencies, such as the Food and Drug Administration (FDA), have released regulations for medical device security.
Despite the fact that nobody seems to think the threat of hacking is going anywhere anytime soon, efforts to improve security are showing to be at least modestly effective. More healthcare organizations are prioritizing healthcare data security efforts as a part of their business spending. Likewise, more entities are working in anticipation of a potential healthcare data breach rather than mitigating after the fact.
“Securing the healthcare environment should now be a part of every health organization’s strategic plan,” the report concluded. “Embracing IT security in its full definition – confidentiality, integrity, and availability – is in alignment with other strategic goals such as improved patient care delivery and better patient outcomes.”