- Hacking is less common in the healthcare sector than theft and unauthorized disclosure, but those cybercriminals stole more than half of the breached patient records from 2009 to 2017, according to a new JAMA Internal Medicine report.
The study analyzed the 1,138 healthcare data breaches reported to the Department of Health and Human Services between 2009 and 2017. The researcher used the HHS-published breach descriptions to confirm the category and separate paper cases from electronic records.
About half of reported breaches were caused by an organization’s own mistakes or neglect and the majority of which were on mobile devices.
Of note: 4.4 million records were exposed in 117 health data breaches in the third quarter of 2018 alone.
The Break Down
The researchers from Michigan State University and Johns Hopkins Carey Business School found that two-thirds of those security incidents were caused by unauthorized disclosure like a mailing mistake, or theft—most commonly someone from outside the organization or an unknown party.
Hacking accounted for just 20 percent of those breaches – but still managed to breach 133.8 million patient records. On the other hand, despite the number of incidents, theft and unauthorized disclosures only accounted for 42.5 million impacted records.
“Healthcare entities must understand the causes of protect health information breaches, if they aim to effectively manage the trade-off between wider access or higher efficiency and more security,” the researchers wrote.
The researchers also found that the most common corrective plans including encryption and restriction of mobile devices – if PHI was stored in the breached device. Other plans including digitizing PHI and enhancing physical security where paper records were stored.
And for those breaches occurring in the cloud, researchers found the impacted organizations went on to better monitor and audit access and strengthened network firewalls.
Cybersecurity Tops 2019 Priorities
On a positive note, the JAMA report comes on the heels of a study from the Center for Connected Medicine in partnership with the Health Management Academy that found cybersecurity will have the greatest impact on the healthcare sector in the coming year.
The groups surveyed 44 executives from 38 health systems and found that along with increasing telehealth and interoperability efforts, those organizations are “increasing their spending to defend against cyberattacks.”
“Cybersecurity is… right up there on top with regulatory problems and readiness for value-based care. Always there at the top,” one survey respondent wrote.
Cybersecurity also landed in the top spot in 2017, as leaders continue to shore up some of the biggest vulnerabilities. About 87 percent of those surveyed will increased cybersecurity spending in 2019, with half increasing those budgets by 5 percent. This is the second consecutive year that cybersecurity budgets will get a bump.
Those officials cite employee education as the greatest challenge, with 62 percent naming employees as the biggest potential vulnerability – as phishing topped the list as the most common cyberattack in the last year.
But only seven out of 10 respondents were confident in their organization’s cybersecurity posture. And earlier this month, a report found 75 percent of hospital administrators and providers felt underprepared for cyber threats.
“The people that are up to no good have far better tools than we do on our platforms. If they really target you, they will likely find a way in,” one survey respondent wrote “We are not trying to make it impenetrable, but we are trying to make it more difficult to break into our system than others in our market.”