Hackers increasingly are turning their attention to the health care sector—but data breaches among certain industry stakeholders are more likely to compromise patient records than others, according to a study published last month in JAMA.
Health data breaches on the rise
For the study, researchers analyzed all breaches reported to HHS' Office for Civil Rights between Jan. 1, 2010, and Dec. 31, 2017. By law, all breaches of at least 500 records must be reported to the federal government.
The researchers found there had been 2,149 health data breaches involving 176.4 million records in that time frame. The breaches varied in size, from as few as 500 records to as many as 78.8 million.
The annual number of breaches increased every year, except in 2015, the study found. According to the researchers, there were 344 breaches in 2017, up from 199 in 2010.
Insurer breaches more likely to compromise patient records
The study found providers were most likely to be breached, accounting for 70% of reported breaches. However, according to the study, provider-related breaches only accounted for 21% of compromised medical records. Insurers, on the other hand, accounted for 13% of reported breaches and 63% of compromised medical records.
Thomas McCoy, the lead author on the study and an assistant professor of psychiatry and medicine at Harvard University as well as the director of research for the Center for Quantitative Health at Massachusetts General Hospital, said, "A small number of breaches account for the majority of records breached."
The study also highlighted a shift in the way breaches occurred. In 2010, physical theft, such as stealing a physician's laptop, accounted for the majority of breaches, but by 2017 breaches were far more likely to occur via hacking
Similarly, the researchers found the target of breaches shifted away from physical laptops and desktops toward network servers where larger amounts of data are stored. According to the study, 139.9 million records were compromised on network serves in 2017, up from 1.1 million in 2010.
What to make of this
Health IT experts note that health care data remain invaluable to hackers and that the shift from paper-based to electronic-based systems has given hackers access to larger pools of data.
The authors concluded that while EHRs have "the potential to improve clinical care and facilitate learning health systems, they also have the potential for harm to vast numbers of patients at once if data security is not improved."
Chris Carmody, SVP of infrastructure and services and president of ClinicalConnect Health Information Exchange at the University of Pittsburgh Medical Center, noted, "There's financial data embedded in health data—your name, your address, your social security number," he said. "With that information someone could go out and get a credit card account. Or a criminal could go out and sell it on the dark web, the shady part of the internet where identities are sold and traded."
Carmody added that health care is commonly seen as the "easiest target" for hackers. As a result, he said data breaches "will probably happen to most organizations at one point or another and maybe even multiple times" (Spitzer, Becker's Health IT & CIO Report, 9/26; Baker, "Vitals," Axios, 9/26; Carroll, Reuters, 9/25; Ross Johnson, Modern Healthcare, 9/25).
Advisory Board's take
The statistics in this new study are quite concerning and reinforce the need for health care organizations to continue maturing and expanding their cybersecurity programs. As an industry, we have made strides in the past couple of years improving our technological stance and security processes, but as the data here alludes, the cyber threats we face continue to grow in sophistication and magnitude and become more difficult to combat.
“These breaches and related incidents can have devastating consequences for health care organizations”
While hacks of providers only accounted for 21% of total breached records, these breaches and related incidents can have devastating consequences for health care organizations. Not only is the immediate clean-up expensive to address, but class action lawsuits are now commonplace following a breach. And certain incidents, like ransomware, can halt clinical activity for hours and even days, which can continue to reverberate long after the attack. As a result, every health care organization needs to have a strong strategy in place to mitigate cyber risk.
You can’t eliminate cyber risk completely. Rather, the most progressive organizations have a well-funded and widely-supported security program that matches their specific organizational culture and operational needs and ultimately is aimed at mitigating risk down to an acceptable level (as set by the board of directors). And this isn't just about having the best technology. A strong cybersecurity strategy requires inclusive governance, clearly defined and enforced policies as well as continued education and process implementation across all areas of the enterprise.
Executives need to play a crucial role in this strategy. While the chief information officer (CIO) and chief information security officer (CISO) will be critical partners, they can't be left to lead the charge all on their own. For example:
- The board can ensure mechanisms in place to track security status and progress;
- The CEO can include cybersecurity in due diligence of any M&A or partnership activity;
- The CMO and CNO can make the clinical voice heard in the organization's security governance;
- The CFO can ensure funding requests for security tools and services are vetted against a security strategy and roadmap;
- The COO can ensure business continuity plans are in place, tested, and work well across all shifts; and
- The CHRO can ensure the security team has the necessary staff to operationalize its security strategy.
Want to learn more about what you should be doing in your role? Check out our new cybersecurity cheat sheet series which outline what executives in every role should be doing—and the key questions they should be asking—to help their organizations stay secure.
Then, register to join us on October 30th from 3:00-4:00 pm ET to learn about how leading organizations have engaged their executive leaders in cybersecurity efforts.
Oct. 30 webconference: Cybersecurity and the C-Suite
Most senior executives have yet to find a clear path to engage in cybersecurity’s complicated, ever-changing landscape. Here’s how several health systems have blazed that path for their C-suites and boards.