- Healthcare data breaches due to hacking have increased immensely from 2014 to 2015, according to a recent report from Bitglass.
In 2014, 68 percent of healthcare data breaches were caused by lost or stolen devices containing health information, making that the largest source of data breach. In just one year, hacking and IT events have become the largest source of healthcare data breaches, with a total of 98 percent of data breaches being caused by hacking events.
Bitglass credits this massive increase to the handful of large-scale data breaches which occurred in 2015. These include the Premera Blue Cross data breach, which resulted in 11 million breached records, and the Anthem data breach, which resulted in approximately 78.8 million breached records.
It should be noted, however, that if one were to exclude the six major healthcare data breaches from 2015, hacking would still be the top cause of data breaches for the year.
In total, hacking incidents have resulted in 111 million breached records this past year, according to the Office of Civil Rights’ data breach database. This is due to the considerable increase in hacking incidents; in 2014 there were 31 hacking incidents in the healthcare industry, while in 2015 there were 56 breach incidents.
Overall, there was a significant increase in the number of individuals affected by healthcare data breaches from 2014 to 2015. As stated above, 2015 saw 111 million individuals affected by a hacking breach, compared to approximately 1.8 million in 2014. In total, 2015 saw 113 million individuals affected by a healthcare data breach, while 2014 only saw 12.5 million.
Bitglass explains that these large-scale health data breaches are done through sophisticated hacks. For example, the Premera and Anthem breaches were both results of phishing attacks.
In both instances, hackers registered domains that looked like either company’s actual websites, such as “prennera.com” or “we11point.com.” These spoofed domains were sent to organization administrators prompting them to log-in to perform a certain action. In logging into the spoofed sites, the administrators inadvertently compromised their log-in credentials, giving the hackers access to the actual organization websites.
These kinds of phishing schemes, and hacking healthcare data in general, are becoming increasingly popular due to the value of healthcare information. Because PHI contains sensitive personal information such as Social Security numbers, thieves benefit from stealing it. It also helps that it tends to take healthcare organizations a while to notify of patients of the breach, giving the thieves plenty of time to misuse the information.
Healthcare data breaches are slated to be to a concern throughout 2016 as well. According to an Experian white paper, the value of the information stored by healthcare organizations makes data breaches a continued threat going into the rest of this year.
“We predict that healthcare companies will remain one of the most targeted sectors by attackers, driven by the high value compromised data can command on the black market, along with the continued digitization and sharing of medical records,” Experian explained.
This threat persists also because of the increased push for EHR use. As the healthcare industry overwhelmingly transitions from paper to electronic recordkeeping, health data becomes more vulnerable to hackers and thieves.
“With the move to electronic health records (EHRs) continuing to gain momentum and becoming more widely accessible through mobile applications, the attack surface continues to grow,” Experian stated.
However, while the Bitglass report focused primarily on the large-scale healthcare data breaches that occurred during 2015, Experian predicted that the growing number of smaller breaches would add up to considerable damage.
“While large breaches may be compromising millions of people’s records in one fell swoop, smaller incidents caused by employee negligence will also continue to compromise millions of records each year. These incidents are often due to employees mishandling paper records or losing physical back-up of information,” Experian confirmed.
It’s clear through the overwhelming increase of the total amount of healthcare data breaches in 2015 that healthcare organizations need to reinforce their security efforts. Between reeducating employees in proper data handling and strengthening cybersecurity efforts, healthcare organizations have a lot to do in the face of growing security threats.