5 Takeaways From Reviewing 2018’s Healthcare Data Breaches
In 2018, the U.S. Healthcare Industry Remained a Hot Target for Data Breaches.
Last year alone, over 15 million patient records were affected with an average of one data breach occurring every 24 hours in the healthcare industry.
It goes without saying that hackers and cyber attackers are finding ways around/through/past security defenses—exploiting vulnerabilities and mounting successful cyber attacks on a daily basis—and into “secure” networks rich with sensitive personal data and health information.
Earlier this quarter, Protenus in collaboration with DataBreaches.net, released its 2019 Breach Barometer report. The Protenus report covering 2018’s healthcare data breaches provides an overview and analysis of 417 (out of a total of 503) healthcare data breaches reported to HHS.
In reviewing the healthcare data breach report, we extracted five key takeaways…
1. Healthcare data breaches remain undetected for an average of 255 days (down from the 308-day average dwell time in 2017).
When responding to a data breach, speed is everything. In the case of hospitals and healthcare organizations—with sensitive patient data (i.e. SSNs, insurance information, bank account details, etc.) waiting for an alert or security incident is not the best practice. Security practitioners within healthcare organizations must be proactive and go find/fix hidden breaches before they’re able to extract data and cause damage. Simply running daily cyber security compromise assessments would enable any hospital or healthcare org to reduce their dwell time to within 1 day.
While a 255-day dwell time (over eight months) is a significant improvement over 2017’s 308-day average dwell time, but it’s still not nearly good enough—especially considering the amount and types of information hospitals, healthcare orgs, and the link are responsible for protecting.
2. Better cybersecurity education, training, protocols, and access controls are needed to protect sensitive health data from insider threats.
While almost half of last year’s healthcare breaches were a result of hacking (45%), a significant number were the result of insider threats, accounting for almost one-third of all healthcare data breaches in 2018. One case of insider wrongdoing involved an employee illegally accessing and sharing patient data, which continued over the course of a 15-year career.
Now, combine the cyber-educational gap of your average caregiver with the malicious intent of an angry assistant, and you have the makings for a highly destructive insider threat.
If healthcare employees continue to carry an entire patient database in their pockets, cybersecurity practitioners need to enforce a stricter list of access controls to reduce the risk of insider-focused attacks.
3. Despite increased awareness, phishing still accounts for a strong number of healthcare cyber attacks in 2018.
Despite an overwhelming increase in the number of cybersecurity tools available for email, many have yet to fully integrate with the legacy antivirus software still used at many hospitals, so decision-makers are hesitant to invest. There is also a direct correlation between the number of ransomware attacks and phishing attempts, leading investigators to believe that dark-web email campaigns are well planned and coordinated across state lines. In other cases, phishing and ransomware may be used as a decoy to mask a less obvious attack vector. Both hacking techniques—phishing and ransomware—show no signs of slowing down this year.
4. Third-party providers, or Business Associates (BA), are more responsible than ever.
Health systems use BA companies for contractual services due to the lack of internal staff needed to manage the security/IT systems used within healthcare organizations and hospitals. As an attack vector, Business Associates accounted for 10% of all healthcare data breaches in 2018.
5. From a technological bird’s-eye view, healthcare is stuck in the 20th century.
With a continued lack of confidence in today’s cyber tools, healthcare organizations and health systems remain tied to the archaic application of fax machines, pagers, and paper shredders. While more and more entities promise to abandon the ways of old, sensitive patient data, they will remain vulnerable to prying eyes (both physical and digital) until new cyber methods are deemed breach-proof.
In conclusion, our hospitals and healthcare providers need more than just a laundry list of HIPAA rules. There needs to be more education and more training of the people working in healthcare, and more robust systems in place to continually assess, validate, and strengthen a hospital’s security ecosystem.
In short, hospitals need to be more proactive vs. reactive when it comes to defending our healthcare data.