In February, Redspin (an Auxilio Company and a leading authority on cybersecurity in healthcare) released their “6th Annual Breach Report: Protected Health Information (PHI)” based on information from 2015. Following the updates to the HITECH Act breach report protocols, large breaches of PHI—those totaling 500 records or more—must be reported on a timely basis to the Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS)
The report assesses the overall effectiveness of the current policies and controls designed to safeguard PHI. It identifies significant trends and draws attention to the specific areas they believe are most in need of improvement.
Between 2009 (the year HITECH went into effect) and December 31, 2015, there have been 1,437 large breaches of PHI affecting some 154,368,781 patients reported to the OCR.
Not a Good Year (Okay, the Worst Year)
The numbers for 2015 are astoundingly bad. While the number of large data breaches reported in 2015 was 258, which makes for only 20% of the 1,437 reported since 2009, the number of Patient Health Records (PHR) impacted in 2015 was over 113 million which represents a staggering 73% of the total PHRs breached since 2009 of over 154 million.
The 897% increase in records breached in 2015 versus 2014 was primarily due to hacking attacks/IT incidents. Over 98% of records breached in 2015 were the result of hacking.
From 2009 through 2013, the majority of security incidents occurred through the theft or loss of unencrypted portable computing devices. Many of which were considered more valuable to the thieves as stolen goods rather than stolen information.
Not so in 2015. In almost all cases, the information was directly targeted by intentional security breaches. The three largest attacks in history to date were reported in 2015: Anthem with 78,000,000 PHR impacted, Premera Blue Cross with 11,000,000, and Excellus Health Plan with 10,000,000 compromised. These three incidents alone accounted for 88.2% of all breached PHR in the calendar year.
Who Were the Targets and Why
All three of the largest attacks were launched on health insurers. The shift in organizational reporting was substantial. Comparing and citing figures from previous reports, Redspin states “prior to 2015, insurers reported less than 10% of all large PHI breach incidents and an even smaller percentage of records breached. Comparatively, in 2015, PHI breaches disclosed by insurers accounted for 23.6% of incidents and an overwhelming 90.9% of records.” The risks of not reporting and noncompliance are too great for companies to keep these breaches to themselves.
The reasoning behind the targeting of insurers, according to Redspin, is that “large health insurers process and maintain enormous amounts of PHI, much more than a typical hospital” and are therefore more rewarding targets to hackers and thieves.”
How They Got In
In the case of the three largest breaches, it is believed that the hackers used a combination of phishing and ‘similar name’ sites that convinced high-level employees that they were on the legitimate site when entering information.
The takeaway from the similarity of the attacks and the vector used is that the weakest link to your organization’s security is still people. Employee awareness and education are needed to combat standard social engineering techniques that allow access to bad actors and that access to PHI needs to be restricted heavily.
Providers Didn’t Fare Much Better
Three of the five top most significant breaches reported by health care providers were due to hacking/IT incidents. And, while the total number of PHRs breached was significantly smaller than that of insurers, the providers were targeted by hackers using malware, phishing, and even a direct cyberattack on the servers. The records and patients impacted may be smaller, but the top provider breach (UCLA Health) still affected a whopping 4.5 million patients.
Healthcare Business Associates are at High Risk Too
When the HIPAA Omnibus Rule went into effect in 2013, the bar was raised for Business Associates (BAs) as well. BAs must fully comply with HIPAA and are held directly liable for breaches of protected health information within their control.
The fifth largest breach overall reported in 2015 was by an Indiana medical software company (Medical Informatics Engineering) because their server was attacked and compromised.
As more technology companies provide Software as a Service (SaaS) applications to healthcare providers and data storage solutions, HIPAA regulations will be more stringently enforced due to the Omnibus Rule. If an application transmits, processes, or stores PHI from the provider, HIPAA compliance is mandatory, and penalties will be assessed just as they are for providers and insurers. Conducting regular HIPAA Security Risk Assessments (HSRA) can help identify where weaknesses exist to prevent breaches for this category of BAs.
Getting the Resources to Protect Against Breaches
Many IT teams face opposition from non-technical C-level executives for providing the money and resources necessary to create a more robust security strategy. The report suggests this resistance is caused by a perceived lack of ROI as it relates to security. It goes on to point out, however, that breaches are not costly in terms of potential fines, but that the loss of confidence from consumers in the instance of a breach results damage to reputation and a significant risk of loss of customers. So framing the case around the potentially catastrophic after-effects of a breach can steer the conversation back to the need for allocation of resources to allow IT teams to implement tighter security and system auditing.
The conclusion that hackers are targeting repositories with large amounts of PHI is inescapable. The alarming number of successful, planned, and sophisticated attacks reported in 2015 was predicted in last year’s Redspin Breach Report. There is no reason to believe that these attacks won’t continue, and it is certain they will broaden in scope and frequency. The only practical response to this reality is in investing the time and resources into strengthening your overall security at all levels. Train your employees to understand attack vectors better and avoid them, and monitor your protocols to provide a less desirable target and identify security issues at the earliest possible moment.
Breach Report 2015: Protected Health Information (PHI) can be downloaded here.