- The total number of individuals impacted by healthcare data breaches at health plans surged by more than 1,000 percent in the first five months of 2018, according to Fortified Health Security’s 2018 Mid-Year Horizon Report.
Health plans reported 24 breaches that affected 884,360 individuals in the first five months of this year, up from 15 breaches affecting 70,166 individuals during the same period last year.
Business associates also saw a jump in number of breaches and individuals affected. They reported 12 breaches affecting 100,602 in the first five months of 2018, up from seven breaches affecting 71,462 individuals during the same period in 2017.
Despite this jump in health plan and business associate breaches, healthcare providers continue to make up the lion’s share of healthcare data breaches, accounting for three-quarters of the reported breaches and 65 percent of individuals affected.
Overall, there were 149 breaches reported with over 2.8 million individuals impacted in the first five months of 2018, as compared to 134 breaches impacting 2.0 million individuals during the same period in 2017. This is an 11 percent increase in the number of organizations affected and a 35 percent increase in the number of individuals affected, the report noted.
Email attacks accounted for almost 28 percent of all reported breaches thus far in 2018, up 3 percent from last year.
“While we have made progress in some areas and continue to invest in cybersecurity as an industry, most healthcare organizations are not allocating enough capital to keep up with the momentum of our adversaries,” said Fortified Health Security President Dan L. Dodson.
“It’s important to remember that training and awareness should be the cornerstones of any solid cybersecurity program as having the right people in place continues to be our biggest challenge,” he added.
The report also examined the Food and Drug Administration’s medical device safety action plan that was released in April.
In the plan, the FDA proposed taking the following steps:
• Establish a medical device patient safety net
• Explore regulatory options to streamline implementation of postmarket mitigations
• Spur innovation towards safer medical devices
• Improve medical device cybersecurity
• Integrate the Center for Devices and Radiological Health's premarket and postmarket offices and activities to expand the use of a total product life cycle approach to device safety
As part of the plan, the FDA said it is considering a requirement for firms to update and patch device security in product design and submit a “software bill of materials” to the FDA, an update to the premarket guidance on medical device cybersecurity, a new postmarket authority that requires firms to adopt policies and procedures for coordinated disclosure of vulnerability, and the development of a CyberMed Safety (Expert) Analysis Board.
In its report, Fortified Health Security said that the FDA plan “does not adequately account for the sheer volume of medical devices that are already on the market.”
Healthcare organizations are unlikely to approve capital expenditures on medical devices for security upgrades if the devices still work. There are hundreds of thousands of connected medical devices that are running unpatched, outdated software and are vulnerable to an attack, the report observed.
Also, the plan only focuses on the current problem of medical device security but does not adequately address the future threat landscape, in which new threats to medical device security are likely to arise.
The healthcare industry needs these devices, and there is no countervailing market pressure for better device security, the report observed.
“Until the FDA and HHS (and the OCR) get on the same page and force manufacturers to take security seriously and, more importantly, hold them accountable, the industry will continue to struggle and the risk of catastrophic failure will increase,” the report warned.
Fortified Health Security recommended that the FDA or OCR be given the power to levy fines on manufacturers for poor medical product design and poor maintenance when it comes to security.